feat(sec): Add SSH signing support for instances (#6897)

- Add support to set `gpg.format` in the Git config, via the new `[repository.signing].FORMAT` option. This is to tell Git that the instance would like to use SSH instead of OpenPGP to sign its commits. This is guarded behind a Git version check for v2.34.0 and a check that a `ssh-keygen` binary is present. - Add support to recognize the public SSH key that is given to `[repository.signing].SIGNING_KEY` as the signing key by the instance. - Thus this allows the instance to use SSH commit signing for commits that the instance creates (e.g. initial and squash commits) instead of using PGP. - Technically (although I have no clue how as this is not documented) you can have a different PGP signing key for different repositories; this is not implemented for SSH signing. - Add unit and integration testing. - `TestInstanceSigning` was reworked from `TestGPGGit`, now also includes testing for SHA256 repositories. Is the main integration test that actually signs commits and checks that they are marked as verified by Forgejo. - `TestParseCommitWithSSHSignature` is a unit test that makes sure that if a SSH instnace signing key is set, that it is used to possibly verify instance SSH signed commits. - `TestSyncConfigGPGFormat` is a unit test that makes sure the correct git config is set according to the signing format setting. Also checks that the guarded git version check and ssh-keygen binary presence check is done correctly. - `TestSSHInstanceKey` is a unit test that makes sure the parsing of a SSH signing key is done correctly. - `TestAPISSHSigningKey` is a integration test that makes sure the newly added API route `/api/v1/signing-key.ssh` responds correctly. Documentation PR: forgejo/docs#1122 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6897 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-06-26 08:00:02 +02:00 · 2025-04-11 13:25:35 +00:00 · 2025-04-11 13:25:35 +00:00 · b55c72828e
commit b55c72828e
parent eb85681b41
17 changed files with 687 additions and 306 deletions
--- a/models/asymkey/ssh_key_object_verification.go
+++ b/models/asymkey/ssh_key_object_verification.go
@ -12,8 +12,10 @@ import (
 	"forgejo.org/models/db"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"

 	"github.com/42wim/sshsig"
+	"golang.org/x/crypto/ssh"
 )

 // ParseObjectWithSSHSignature check if signature is good against keystore.
@ -62,6 +64,22 @@ func ParseObjectWithSSHSignature(ctx context.Context, c *GitObject, committer *u
 		}
 	}

+	// If the SSH instance key is set, try to verify it with that key.
+	if setting.SSHInstanceKey != nil {
+		instanceSSHKey := &PublicKey{
+			Content:     string(ssh.MarshalAuthorizedKey(setting.SSHInstanceKey)),
+			Fingerprint: ssh.FingerprintSHA256(setting.SSHInstanceKey),
+		}
+		instanceUser := &user_model.User{
+			Name:  setting.Repository.Signing.SigningName,
+			Email: setting.Repository.Signing.SigningEmail,
+		}
+		commitVerification := verifySSHObjectVerification(c.Signature.Signature, c.Signature.Payload, instanceSSHKey, committer, instanceUser, setting.Repository.Signing.SigningEmail)
+		if commitVerification != nil {
+			return commitVerification
+		}
+	}
+
 	return &ObjectVerification{
 		CommittingUser: committer,
 		Verified:       false,