Need help to enable autosign
-
Hi!
I wanted to enable autosign and ran in an issue I can not solve.
I set the .gnupg folder for the git-User
export GNUPGHOME=/app/data/appdata/home/.gnupg
created keys and everything.But: The moment Gitea wants to sign a commit it fails as I have no possibility to set GNUPGHOME. .
Maybe anyone has an idea.
-
@jaschaezra we may have to add support for that in the packaging then. Do you have a link to a tutorial or docs on how to setup the auto-signing?
-
@nebulon That would be great.
there is no real tutorial, the documentation is quite...vague. it is here: https://docs.gitea.io/en-us/signing/
What needs ti be done (and not written down in the documentation): create a password less key.
I normaly do it like this:
change to the git User (su git)
create file 'genkey-batch':
%no-protection Key-Type: default Subkey-Type: default Name-Real: Gitea Name-Email: git@GITEADOMAIN Expire-Date: 0
Execute key generation:
gpg --batch --gen-key genkey-batch
the Key will be added to the keychain which resides in /home/$USER/.gnupg
You can change this with
export GNUPGHOME=/app/data/appdata/home/.gnupgIn the app.ini you need to add the following:
[repository.signing] SIGNING_KEY = default SIGNING_NAME = Gitea SIGNING_EMAIL = git@GITEADOMAIN INITIAL_COMMIT = always CRUD_ACTIONS = pubkey, twofa, parentsigned WIKI = never MERGES = pubkey, twofa, basesigned, commitssigned
The last three entries can and should be configured by the Instance Gitea-Owner, depending on what should be auto signed.
the only thing which needs to be changed if you do it like I did is to add
export GNUPGHOME=/app/data/appdata/home/.gnupg
to the shell environment. then it works (well, it did on my old server with other paths, but it worked :))
the only thing I would do if I package would be to add GNUPGHOME as standard and add a note in the documentation how to enable autosign.
-
Thanks for the detailed description. I have changed the package to allow adding the keys and set the
GNUPGHOME
(this change is not published yet). It all seems fine, but I am not sure how to test or check if the signing actually was performed. Also do I have to set something for a git repository in gitea specifically to make it sign the commits? -
-
@nebulon I would love to test it.
When you create a repository and init it from the webfrostend, then this commit is signed by Gitea. So in fact all the things you do in the webfrontend.
These settings
INITIAL_COMMIT = always CRUD_ACTIONS = pubkey, twofa, parentsigned
say: Always sign the initial commit. Sign every other commits if the User has set a pub key OR enabled TFA or if the parent commit is signed.Hope that helps.
-
@jaschaezra the change is quite small https://git.cloudron.io/cloudron/gitea-app/-/commit/32eebcff8fd7c095d4e88cba396e693cb12bfbbe
It would be great if you could test this. Basically checkout the app package repo and run
cloudron build && cloudron install
in the folder. Granted you have the cloudron cli tool installed and configured for your Cloudron already. -
This post is deleted!
-
@jaschaezra seems like you already have an instance using the default port there. Try to run
cloudron install -p
for interactive way to set a different port. -
@jaschaezra there is no time pressure at all. Hope you get your system back up again though. If it is Cloudron related, let us know of course.
-
@jaschaezra thanks for testing and confirming the fix. I have pushed a new package now.
-
-
@nebulon I just want to add some screen I just made because I forgot them to create
This is how you'll see it in the repository:
When you take a look at the commit:
The name is set in app.ini
For the key-creation:
It is much easier to do it like this:gpg --default-new-key-algo rsa4096 --gen-key
then enter the Name, the Email (git@DOMAIN) and NO password!
That's it.
-
@jaschaezra BTW, you can set a Gravatar/Libravatar for git@DOMAIN and upload e.g. the gitea Logo which then is displayed.
-
This is odd - after working for a looong time I suddenly get this error when creating a repository and initializing it:
CreatePost, initRepository: initRepoCommit: git commit: exit status 128 - error: gpg failed to sign the data fatal: failed to write commit object - error: gpg failed to sign the data fatal: failed to write commit object
I first thought that maybe the key is gone. By checking this I found that:
root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git gpg --list-keys gpg: Fatal: can't create directory '/home/git/.gnupg': Read-only file system root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git#
I have not changed anything and I do not know when this happened as I was not using my git for the last ~9 months.
Any idea what is going on @nebulon?
-
@nebulon I now get a new error:
root@0f44f577-d0e0-42e6-a371-d3914aba0014:/home/git# sudo -u git bash git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ export GNUPGHOME=/app/data/appdata/home/.gnupg git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$ gpg --list-keys gpg: WARNING: unsafe permissions on homedir '/app/data/appdata/home/.gnupg' git@0f44f577-d0e0-42e6-a371-d3914aba0014:~$