feat(sec): Add SSH signing support for instances (#6897)

- Add support to set `gpg.format` in the Git config, via the new `[repository.signing].FORMAT` option. This is to tell Git that the instance would like to use SSH instead of OpenPGP to sign its commits. This is guarded behind a Git version check for v2.34.0 and a check that a `ssh-keygen` binary is present. - Add support to recognize the public SSH key that is given to `[repository.signing].SIGNING_KEY` as the signing key by the instance. - Thus this allows the instance to use SSH commit signing for commits that the instance creates (e.g. initial and squash commits) instead of using PGP. - Technically (although I have no clue how as this is not documented) you can have a different PGP signing key for different repositories; this is not implemented for SSH signing. - Add unit and integration testing. - `TestInstanceSigning` was reworked from `TestGPGGit`, now also includes testing for SHA256 repositories. Is the main integration test that actually signs commits and checks that they are marked as verified by Forgejo. - `TestParseCommitWithSSHSignature` is a unit test that makes sure that if a SSH instnace signing key is set, that it is used to possibly verify instance SSH signed commits. - `TestSyncConfigGPGFormat` is a unit test that makes sure the correct git config is set according to the signing format setting. Also checks that the guarded git version check and ssh-keygen binary presence check is done correctly. - `TestSSHInstanceKey` is a unit test that makes sure the parsing of a SSH signing key is done correctly. - `TestAPISSHSigningKey` is a integration test that makes sure the newly added API route `/api/v1/signing-key.ssh` responds correctly. Documentation PR: forgejo/docs#1122 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6897 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-08-01 17:38:33 +00:00 · 2025-04-11 13:25:35 +00:00 · 2025-04-11 13:25:35 +00:00 · b55c72828e
commit b55c72828e
parent eb85681b41
17 changed files with 687 additions and 306 deletions
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -865,6 +865,7 @@ func Routes() *web.Route {
 		m.Group("", func() {
 			m.Get("/version", misc.Version)
 			m.Get("/signing-key.gpg", misc.SigningKey)
+			m.Get("/signing-key.ssh", misc.SSHSigningKey)
 			m.Post("/markup", reqToken(), bind(api.MarkupOption{}), misc.Markup)
 			m.Post("/markdown", reqToken(), bind(api.MarkdownOption{}), misc.Markdown)
 			m.Post("/markdown/raw", reqToken(), misc.MarkdownRaw)
--- a/routers/api/v1/misc/signing.go
+++ b/routers/api/v1/misc/signing.go
@ -7,8 +7,11 @@ import (
 	"fmt"
 	"net/http"

+	"forgejo.org/modules/setting"
 	asymkey_service "forgejo.org/services/asymkey"
 	"forgejo.org/services/context"
+
+	"golang.org/x/crypto/ssh"
 )

 // SigningKey returns the public key of the default signing key if it exists
@ -61,3 +64,29 @@ func SigningKey(ctx *context.APIContext) {
 		ctx.Error(http.StatusInternalServerError, "gpg export", fmt.Errorf("Error writing key content %w", err))
 	}
 }
+
+// SSHSigningKey returns the public SSH key of the default signing key if it exists
+func SSHSigningKey(ctx *context.APIContext) {
+	// swagger:operation GET /signing-key.ssh miscellaneous getSSHSigningKey
+	// ---
+	// summary: Get default signing-key.ssh
+	// produces:
+	//     - text/plain
+	// responses:
+	//   "200":
+	//     description: "SSH public key in OpenSSH authorized key format"
+	//     schema:
+	//       type: string
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	if setting.SSHInstanceKey == nil {
+		ctx.NotFound()
+		return
+	}
+
+	_, err := ctx.Write(ssh.MarshalAuthorizedKey(setting.SSHInstanceKey))
+	if err != nil {
+		ctx.Error(http.StatusInternalServerError, "ssh export", err)
+	}
+}