GPG commit validation (#1150)

* GPG commit validation * Add translation + some little fix * Move hash calc after retrieving of potential key + missing translation * Add some little test
2025-05-16 15:02:43 +00:00 · 2017-03-22 11:43:54 +01:00 · 2017-03-22 11:43:54 +01:00 · 14fe9010ae
commit 14fe9010ae
parent 9224405155
14 changed files with 480 additions and 21 deletions
--- a/vendor/code.gitea.io/git/commit.go
+++ b/vendor/code.gitea.io/git/commit.go
@ -6,6 +6,7 @@ package git

 import (
 	"bufio"
+	"bytes"
 	"container/list"
 	"fmt"
 	"net/http"
@ -22,11 +23,30 @@ type Commit struct {
 	Author        *Signature
 	Committer     *Signature
 	CommitMessage string
+	Signature     *CommitGPGSignature

 	parents        []SHA1 // SHA1 strings
 	submoduleCache *ObjectCache
 }

+// CommitGPGSignature represents a git commit signature part.
+type CommitGPGSignature struct {
+	Signature string
+	Payload   string //TODO check if can be reconstruct from the rest of commit information to not have duplicate data
+}
+
+// similar to https://github.com/git/git/blob/3bc53220cb2dcf709f7a027a3f526befd021d858/commit.c#L1128
+func newGPGSignatureFromCommitline(data []byte, signatureStart int) (*CommitGPGSignature, error) {
+	sig := new(CommitGPGSignature)
+	signatureEnd := bytes.LastIndex(data, []byte("-----END PGP SIGNATURE-----"))
+	if signatureEnd == -1 {
+		return nil, fmt.Errorf("end of commit signature not found")
+	}
+	sig.Signature = strings.Replace(string(data[signatureStart:signatureEnd+27]), "\n ", "\n", -1)
+	sig.Payload = string(data[:signatureStart-8]) + string(data[signatureEnd+27:])
+	return sig, nil
+}
+
 // Message returns the commit message. Same as retrieving CommitMessage directly.
 func (c *Commit) Message() string {
 	return c.CommitMessage
--- a/vendor/code.gitea.io/git/repo_commit.go
+++ b/vendor/code.gitea.io/git/repo_commit.go
@ -78,6 +78,12 @@ l:
 					return nil, err
 				}
 				commit.Committer = sig
+			case "gpgsig":
+				sig, err := newGPGSignatureFromCommitline(data, nextline+spacepos+1)
+				if err != nil {
+					return nil, err
+				}
+				commit.Signature = sig
 			}
 			nextline += eol + 1
 		case eol == 0:
--- a/vendor/code.gitea.io/sdk/gitea/hook.go
+++ b/vendor/code.gitea.io/sdk/gitea/hook.go
@ -137,12 +137,21 @@ type PayloadUser struct {

 // PayloadCommit FIXME: consider use same format as API when commits API are added.
 type PayloadCommit struct {
-	ID        string       `json:"id"`
-	Message   string       `json:"message"`
-	URL       string       `json:"url"`
-	Author    *PayloadUser `json:"author"`
-	Committer *PayloadUser `json:"committer"`
-	Timestamp time.Time    `json:"timestamp"`
+	ID           string                     `json:"id"`
+	Message      string                     `json:"message"`
+	URL          string                     `json:"url"`
+	Author       *PayloadUser               `json:"author"`
+	Committer    *PayloadUser               `json:"committer"`
+	Verification *PayloadCommitVerification `json:"verification"`
+	Timestamp    time.Time                  `json:"timestamp"`
+}
+
+// PayloadCommitVerification represent the GPG verification part of a commit. FIXME: like PayloadCommit consider use same format as API when commits API are added.
+type PayloadCommitVerification struct {
+	Verified  bool   `json:"verified"`
+	Reason    string `json:"reason"`
+	Signature string `json:"signature"`
+	Payload   string `json:"payload"`
 }

 var (
--- a/vendor/code.gitea.io/sdk/gitea/user_gpgkey.go
+++ b/vendor/code.gitea.io/sdk/gitea/user_gpgkey.go
@ -38,6 +38,12 @@ type CreateGPGKeyOption struct {
 	ArmoredKey string `json:"armored_public_key" binding:"Required"`
 }

+// ListGPGKeys list all the GPG keys of the user
+func (c *Client) ListGPGKeys(user string) ([]*GPGKey, error) {
+	keys := make([]*GPGKey, 0, 10)
+	return keys, c.getParsedResponse("GET", fmt.Sprintf("/users/%s/gpg_keys", user), nil, nil, &keys)
+}
+
 // ListMyGPGKeys list all the GPG keys of current user
 func (c *Client) ListMyGPGKeys() ([]*GPGKey, error) {
 	keys := make([]*GPGKey, 0, 10)