feat(sec): Add SSH signing support for instances (#6897)

- Add support to set `gpg.format` in the Git config, via the new `[repository.signing].FORMAT` option. This is to tell Git that the instance would like to use SSH instead of OpenPGP to sign its commits. This is guarded behind a Git version check for v2.34.0 and a check that a `ssh-keygen` binary is present. - Add support to recognize the public SSH key that is given to `[repository.signing].SIGNING_KEY` as the signing key by the instance. - Thus this allows the instance to use SSH commit signing for commits that the instance creates (e.g. initial and squash commits) instead of using PGP. - Technically (although I have no clue how as this is not documented) you can have a different PGP signing key for different repositories; this is not implemented for SSH signing. - Add unit and integration testing. - `TestInstanceSigning` was reworked from `TestGPGGit`, now also includes testing for SHA256 repositories. Is the main integration test that actually signs commits and checks that they are marked as verified by Forgejo. - `TestParseCommitWithSSHSignature` is a unit test that makes sure that if a SSH instnace signing key is set, that it is used to possibly verify instance SSH signed commits. - `TestSyncConfigGPGFormat` is a unit test that makes sure the correct git config is set according to the signing format setting. Also checks that the guarded git version check and ssh-keygen binary presence check is done correctly. - `TestSSHInstanceKey` is a unit test that makes sure the parsing of a SSH signing key is done correctly. - `TestAPISSHSigningKey` is a integration test that makes sure the newly added API route `/api/v1/signing-key.ssh` responds correctly. Documentation PR: forgejo/docs#1122 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6897 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-06-01 20:32:11 +00:00 · 2025-04-11 13:25:35 +00:00 · 2025-04-11 13:25:35 +00:00 · b55c72828e
commit b55c72828e
parent eb85681b41
17 changed files with 687 additions and 306 deletions
--- a/modules/setting/repository.go
+++ b/modules/setting/repository.go
@ -4,12 +4,15 @@
 package setting

 import (
+	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"strings"

 	"forgejo.org/modules/log"
+
+	"golang.org/x/crypto/ssh"
 )

 // enumerates all the policy repository creating
@ -26,6 +29,8 @@ var MaxUserCardsPerPage = 36
 // MaxForksPerPage sets maximum amount of forks shown per page
 var MaxForksPerPage = 40

+var SSHInstanceKey ssh.PublicKey
+
 // Repository settings
 var (
 	Repository = struct {
@ -109,6 +114,7 @@ var (
 			SigningKey        string
 			SigningName       string
 			SigningEmail      string
+			Format            string
 			InitialCommit     []string
 			CRUDActions       []string `ini:"CRUD_ACTIONS"`
 			Merges            []string
@ -262,6 +268,7 @@ var (
 			SigningKey        string
 			SigningName       string
 			SigningEmail      string
+			Format            string
 			InitialCommit     []string
 			CRUDActions       []string `ini:"CRUD_ACTIONS"`
 			Merges            []string
@ -271,6 +278,7 @@ var (
 			SigningKey:        "default",
 			SigningName:       "",
 			SigningEmail:      "",
+			Format:            "openpgp",
 			InitialCommit:     []string{"always"},
 			CRUDActions:       []string{"pubkey", "twofa", "parentsigned"},
 			Merges:            []string{"pubkey", "twofa", "basesigned", "commitssigned"},
@ -376,4 +384,15 @@ func loadRepositoryFrom(rootCfg ConfigProvider) {
 		log.Fatal("loadRepoArchiveFrom: %v", err)
 	}
 	Repository.EnableFlags = sec.Key("ENABLE_FLAGS").MustBool()
+
+	if Repository.Signing.Format == "ssh" && Repository.Signing.SigningKey != "none" && Repository.Signing.SigningKey != "" {
+		sshPublicKey, err := os.ReadFile(Repository.Signing.SigningKey)
+		if err != nil {
+			log.Fatal("Could not read repository signing key in %q: %v", Repository.Signing.SigningKey, err)
+		}
+		SSHInstanceKey, _, _, _, err = ssh.ParseAuthorizedKey(sshPublicKey)
+		if err != nil {
+			log.Fatal("Could not parse the SSH signing key %q: %v", sshPublicKey, err)
+		}
+	}
 }
--- a/modules/setting/repository_test.go
+++ b/modules/setting/repository_test.go
@ -0,0 +1,59 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package setting
+
+import (
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
+)
+
+func TestSSHInstanceKey(t *testing.T) {
+	sshSigningKeyPath, err := filepath.Abs("../../tests/integration/ssh-signing-key.pub")
+	require.NoError(t, err)
+
+	t.Run("None value", func(t *testing.T) {
+		cfg, err := NewConfigProviderFromData(`
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = none
+`)
+		require.NoError(t, err)
+
+		loadRepositoryFrom(cfg)
+
+		assert.Nil(t, SSHInstanceKey)
+	})
+
+	t.Run("No value", func(t *testing.T) {
+		cfg, err := NewConfigProviderFromData(`
+[repository.signing]
+FORMAT = ssh
+`)
+		require.NoError(t, err)
+
+		loadRepositoryFrom(cfg)
+
+		assert.Nil(t, SSHInstanceKey)
+	})
+	t.Run("Normal", func(t *testing.T) {
+		iniStr := fmt.Sprintf(`
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = %s
+`, sshSigningKeyPath)
+		cfg, err := NewConfigProviderFromData(iniStr)
+		require.NoError(t, err)
+
+		loadRepositoryFrom(cfg)
+
+		assert.NotNil(t, SSHInstanceKey)
+		assert.Equal(t, "ssh-ed25519", SSHInstanceKey.Type())
+		assert.EqualValues(t, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeRC8GfFyXtiy0f1E7hLv77BXW7e68tFvIcs8/29YqH\n", ssh.MarshalAuthorizedKey(SSHInstanceKey))
+	})
+}