Gitea Merge Signing (and everything else)
I was trying to get Gitea to sign my initial commits, merges, and everything else not done directly by a user and ran into some frustration with the documentation. Here's how I solved it for my docker-compose setup, YMMV.
I created a git user on my machine, and passed through the .ssh directory as outlined [here].
su - git
gpg --generate-key
I kept getting permission denied errors when trying to finalize the key, apparently gpg will prompt you for a passphrase and the tty permissions do not allow it. I was able to run the commands inside of tmux, and everything worked just fine.
WARNING I skipped setting a passphrase because I wasn't sure how to make Gitea unlock the gpg key inside of docker. If anyone knows how to do this correctly, please let me know.
After I had the key, I needed to mount the .gnupg directory inside my docker container
version: "3"
services:
server:
image: gitea/gitea:latest
environment:
- USER_UID=1000
- USER_GID=1000
restart: unless-stopped
volumes:
- /opt/gitea/data:/data
- /home/git/.ssh:/data/git/.ssh
- /home/git/.gnupg:/data/git/.gnupg
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "127.0.0.1:3300:3000"
- "127.0.0.1:2222:22"
After all that was set, I needed to edit my app.ini file. (located in /opt/gitea/data/gitea/conf/app.ini on my local system).
[repository.signing]
SIGNING_KEY = X8A0091299678863B5A2CBF3E478FEC0EA152FE5
SIGNING_NAME = Some Name
SIGNING_EMAIL = [email protected]
INITIAL_COMMIT = always
CRUD_ACTIONS = pubkey, twofa, parentsigned
WIKI = never
MERGES = pubkey, twofa, basesigned, commitssigned
The signing key is the key id that you just generated. You can get the keyid by running gpg --list-keys. Put that key id into the SIGNING_KEY field, and then be sure to set SIGNING_NAME and SIGNING_EMAIL.
I restarted my docker containers, and voila, I had fully signed repos from initial commit, to all merged pull requests.
— © 2022 [email protected]