GPG signature verification

[jeppech]

Github just added GPG signature verification, this would be a cool feature in gogs as well.

https://github.com/blog/2144-gpg-signature-verification

[drsect0r]

👍

[xor-gate]

Keep in mind when people have gogs in-company behind firewalls and an external/internal GPG server needs to be accessed to verify the signature this must be configurable.

[bkcsoft]

Github (and Gogs IMO) uses it's own GPG-keychain for validation, so each user would need to upload their public key just like with SSH-keys.

One could also add a "fetch my key from this server {url)}" to make it easier for non-corp users 😄

[joubertredrat]

+1

[dakira]

@xor-gate, @bkcsoft: exactly. Just as with github, a person needs to add a signing key to their profile and commits are validated against that. These need to be added to a gpg public keyring that belongs to the git user, so that this user can use git to verify the signatures (see the git docs).

[cjeanneret]

@xor-gate gpg server isn't used as people has to add their own key(s) to their account, with matching email addresses and so on.

@bkcsoft "retrieve key from keybase.io" would be nice, in fact :).

[bkcsoft]

@cjeanneret havn't looked at keybase at all so I can't really say hos easy/hard it'll be to integrate... I hope that I have time during the weekend, otherwise I'll have a look next week :)

[cjeanneret]

@bkcsoft you might want to check the API ;).

The "nice" thing would be a lookup to keybase in order to retrieve the key for each emails entered in gogs account — while still letting the possibility to manually add a public key in case we either don't have a keybase account or not uploaded this key on it (my case: ~10 private keys…)

[dakira]

I can offer an invitation in case you need one to look at keybase.

[dakira]

I'd also like to add that safe lookups by email via keybase.io are not possible. See this issue for more information: keybase/keybase-issues#590 So if keybase integration is something we want, we need to figure out what kind of integration.

[ekozan]

keybase is not a must have first focus on gpg and after add some provider no ?

[xor-gate]

It looks like the keybase service server-side cannot be self-hosted and only client libraries and docs are provided. Correct me if i'm wrong. Probably this is not what most gogs users want when hosting it in-company or private.

[Fastidious]

Dupe of #2321 .

[dabaer]

👍

[sapk]

Maybe I can do something

[bkcsoft]

@Fastidious not exactly, this extends that issue

[lcges]

It will be an opportunity to implement this feature?

[Marqin]

Will this feature also check when client does git push --signed (new feature since Git 2.2.0), or we need second issue for that feature?

[bennyman123abc]

I hate to pry, but has this issue progressed any further?

[w3bb]

Really hope this gets implemented. This is a killer feature for me.

[tinyoverflow]

Signing commits is really imported, especially for security. This issue now exists for 5 years and the only thing this issue brought up is: "I WaNt KeYbAsE" and discussions about Keybase instead of focusing on the important thing: Checking signatures.

Where the public key comes from is irrelevant in the first place. It doesn't matter if it comes from a keyserver, from the user itself (like GitHub and nearly everyone else does it), from Keybase or whatever solution.

Please let us focus on the important stuff: Verification. Once the base is implemented, we might be able to think about importing identities from third-party providers, though I do not see any benefit in that, to be honest. It's something that you only do once. That doesn't need to be automated. If you have to add new keys all the time, you

1. might want to rethink your key situation, or
2. have a very special use case thats way to special to implement it for all users in such a software.

I've used Gogs a lot and I really like it. But this is definitely a killer feature. Even it's forks have managed to implement this.

[GwynethLlewelyn]

I'm here scratching my head trying to figure out what exactly happened to Gogs. It's not really normal to have an issue open for five years, a few pull requests ready to implement such a feature, and lots of forks that have picked up all the code and implemented it on their own fork (and even bragged about it).

What's going on?

[venil7]

Hey guys, its September 2021, any news on this feature at all?

[GwynethLlewelyn]

Any news on any feature?...

[ghost]

Is there any update on this situation? I'd be more than happy to be able to see in the webinterface that the commit was signed at all. Obviously verification and the likes would be preferred, but for the time being I absolutely take what I could get.

Is there anything that we users can help the developers with? Seeing pull requests repeatedly ignored is quite disheartening though ..

[GwynethLlewelyn]

I feel your pain, @Gmmi ... @unknwon has been catching up with things and actually did a new release with some changes, but the simple truth is that there are still 35 PRs or so for reviewing. Most of them pass all checks — which is a good sign! — but a few do not. I guess that this just takes time to get approved...