Support signed pushes #13454
Comments
lunny
added
the
type/proposal
|
first of all - cheers. |
|
I'm actually also wondering what happens if |
|
You yourself as the operator would not be able to verify the validity of the old certificates with the new nonce seed. I think it does not matter if you are just recording the certs or rejecting invalid or unsigned pushes - that's done using the current nonce seed, others would probably barely notice, since they don't have access to the nonce seed in the first place, otherwise they'd be able to forge certs. So the seed probably shouldn't be changed in a random way as no mechanism to keep track of the changes exists (other than your |
|
Right, so ideally we should expose a option to allow users to set their own I guess if really necessary one could also expose a option to input past nonces for verification purpose, but I think in the general use case we can assume a user either sets their previous nonce or sets none at all, getting the default. |
I don't think it works like that.
This would then probably be a non-standard and non-intended use of the thingy, while I agree it's a nice idea. |
|
I also have no idea how hard resets are solved in the scenario of changed nonce seed, much less of an idea if we consider per-user nonce seed. |
|
I never said per-user nonce. I of course meant per-server (or if a cluster of servers, shared among them). |
right, my bad...I got the users part as general instance users, not as Gitea users == instance admins |
|
Yeah, I meant admins, not actual gitea users 😉 |
|
So I think we can close this, the preferred way should be to configure it in |
|
I think we should at least document it ? |
|
Hmm yes, some docs regarding this and |
|
Testing this again, I think we can improve the error message seen when signed push is not enabled in gitconfig: Compare to GitHub which also does not support signed push but does not show the latter two messages: |
|
maybe we can provide option to check and block unsigned git push, which is similar with "require signed commits" |
|
Is the procedure the same for SSH signed pushes or are those even a thing? Edit: the answer appears to be yes, as long as the server has a SSH-signing capable git version. |
I think this is a perfectly valid question, it'd perhaps be nice to have this mentioned in the docs. |
|
Would prefer to be able to do it over HTTPS if possible. |
I believe there's a confusion, I'll try to clarify. |
|
Exactly. I think this is a pure documentation issue. It may be possible for gitea to automatically configure |
|
I wasn't able to get push advertising working, so I've stuck to simple gpgsign-ing. |
…stogram` by default (#24860) Close #13454 , Close #23255, Close #14697 (and maybe more related issues) Many users have the requirement to customize the git config. This PR introduces an easy way: put the options in Gitea's app.ini `[git.config]`, then the config options will be applied to git config. And it can support more flexible default config values, eg: now `diff.algorithm=histogram` by default. According to: https://stackoverflow.com/a/32367597/4754037 , `histogram diff` is efficient and doesn't like to cause server-side problems. --------- Co-authored-by: silverwind <[email protected]> Co-authored-by: KN4CK3R <[email protected]> Co-authored-by: Giteabot <[email protected]>
Git supports signing pushes since 2.2.0, we should enable it server side if git is at least that version as it's a backwards-compatible feature. Essentially we need to configure each repo or git globally with:
Maybe the UI can also indicate push signatures, but I guess that can come later.
certNonceSeedcould be set to a hash derived fromsecurity.SECRET_KEY.https://people.kernel.org/monsieuricon/signed-git-pushes
https://github.com/git/git/blob/7f7ebe054af6d831b999d6c2241b9227c4e4e08d/Documentation/RelNotes/2.2.0.txt#L81-L87
The text was updated successfully, but these errors were encountered: