Gitea: Committer verification

From git point, I would recommend you to use gpg commit verification (allready implemented) that allow a "pusher" to push commit from another "commiter" and still be able to verify that the commit hasn't be tempered or that the identity of the commiter ins't falsify. This type of verification is totally decentralized and verification can also be done locally and is supported natively by git.

This solution, doesn't cover the part of only allowing to push commit from the logged user that maybe needed for your corporation (this would block cherry-pick and some git flow if enable).

If the gpg method doesn't fully comply with your need, gitea support server-side hook but those need to be added manually via git cli. More generaly, we could provide a way to apply predifined list of server-side hooks.

EDIT: it is also possible to edit the pre-receive hook via web interface.

Some examples of pre-receive hook : https://github.com/github/platform-samples/blob/master/pre-receive-hooks/reject-external-email.sh or https://github.com/github/platform-samples/blob/master/pre-receive-hooks/commit-current-user-check.sh

So maybe we could have an option on repository setting to deny all push gpg verify failed.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

Does gitea pass any user info through environmental variables? That would allow these hooks to work.

Yes it does.

https://github.com/go-gitea/gitea/blob/ee1d64ddd1456764de692fcdeb42db1398fcf97b/cmd/serv.go#L187-L195

However read my comments on #8584

It can be done we just need to do a bit more work.

For simple committer verification this works work well in Gitea v1.9.5:

#!/bin/sh
err(){
    >&2 echo "Pre-receive validation: $*"
}

hasErr = 0
while read oldrev newrev ref
do
    if [[ "$oldrev" == "0000000000000000000000000000000000000000" ]]; then
        #create new branch
        continue;
    fi

    export committers="$(git log --format="%H %ce" $oldrev..$newrev)"

    while IFS=' ' read -r commitHash committerEmail;
    do
        if [[ "$committerEmail" != "$GITEA_PUSHER_EMAIL" ]]; then
            err "You are not $GITEA_PUSHER_EMAIL! You pushed commit $commitHash as $committerEmail"
            exit -1
        fi
    done <<< $committers
done

exit 0

This verifies every pushed commit against the Gitea users e-mail address. Indeed, gpg signing might be more perfect, but this does work.

Delta compression using up to 16 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.02 KiB | 1.02 MiB/s, done.
Total 9 (delta 3), reused 0 (delta 0)
remote: ./hooks/pre-receive.d/enforce-author: line 8: hasErr: command not found
remote: Pre-receive validation: You are not [email protected]! You pushed commit edb3fc3b808fdaea26fd43a128a40e3457021ac6 as [email protected]
To https://git.[redacted]/[user]/test2
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://git.[redacted]/[user]/test2'

@Sebazzz there seems to be a typo in your example:

remote: ./hooks/pre-receive.d/enforce-author: line 8: hasErr: command not found

I think you need to change:

hasErr = 0

to

hasErr=0

Yes, forgot it when copy pasting.

The only thing missing is that it doesn't verify the committer name because gitea doesn't pass that in an env. variable. You could do an api call for that though.

Met vriendelijke groet,
Sebastiaan Dammann

Van: guillep2k notifications@github.com
Verzonden: Tuesday, November 12, 2019 10:12:46 PM
Aan: go-gitea/gitea gitea@noreply.github.com
CC: Sebastiaan Dammann sebastiaandammann@outlook.com; Mention mention@noreply.github.com
Onderwerp: Re: [go-gitea/gitea] Committer verification (#2770)

@Sebazzzhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSebazzz&data=02%7C01%7C%7Cc3884d7275d441c0e51a08d767b51123%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091899677346257&sdata=CauI0wqpyoZigfLmczvd6SBBJ2JqZhCXa%2BD%2F%2FdMxuQ8%3D&reserved=0 there seems to be a typo in your example:

remote: ./hooks/pre-receive.d/enforce-author: line 8: hasErr: command not found

I think you need to change:

hasErr = 0

to

hasErr=0

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgo-gitea%2Fgitea%2Fissues%2F2770%3Femail_source%3Dnotifications%26email_token%3DAAK4FMLGZR4Q3OB5FB7A46DQTML45A5CNFSM4EAKXJRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED36HSI%23issuecomment-553116617&data=02%7C01%7C%7Cc3884d7275d441c0e51a08d767b51123%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091899677356262&sdata=UaseFGf4%2FV%2B40uKGazweo69P2dsAkapkViI%2BI%2Fu%2BR%2FI%3D&reserved=0, or unsubscribehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAK4FMIGADBIAFX2LCSLFKLQTML45ANCNFSM4EAKXJRA&data=02%7C01%7C%7Cc3884d7275d441c0e51a08d767b51123%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091899677366273&sdata=OxsC0lOmhu74%2F96UsLnB2ukxrsaqStoBx%2FuL3uGrhcU%3D&reserved=0.

Yes, but it is also on my profile. Thanks though 👍

Met vriendelijke groet,
Sebastiaan Dammann

Van: guillep2k notifications@github.com
Verzonden: Tuesday, November 12, 2019 10:16:55 PM
Aan: go-gitea/gitea gitea@noreply.github.com
CC: Sebastiaan Dammann sebastiaandammann@outlook.com; Mention mention@noreply.github.com
Onderwerp: Re: [go-gitea/gitea] Committer verification (#2770)

@Sebazzzhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSebazzz&data=02%7C01%7C%7Cb9264726c4ae46a1f5df08d767b5a5a5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091902168298842&sdata=GBXU%2BS1EUyXJLElyh48K2tJeTTEUDRS%2BRKfJSxUbCZE%3D&reserved=0 just so you know, your comment exposed your e-mail.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgo-gitea%2Fgitea%2Fissues%2F2770%3Femail_source%3Dnotifications%26email_token%3DAAK4FMINUACLPIUJ5KYJW5DQTMMMPA5CNFSM4EAKXJRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED36UWY%23issuecomment-553118299&data=02%7C01%7C%7Cb9264726c4ae46a1f5df08d767b5a5a5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091902168298842&sdata=OJrhAg4XA2A0HJr6vWW9WpyAVGJei2Z6SxpC7Xn823Y%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAK4FMPMNJC4NFEEYCWOKBLQTMMMPANCNFSM4EAKXJRA&data=02%7C01%7C%7Cb9264726c4ae46a1f5df08d767b5a5a5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091902168308846&sdata=Ao50vY17koIHAu99kZExA%2BihRQz2FWtIoBp1gSrTpH8%3D&reserved=0.

So Gitea won't be able to pass the committer name as a variable as that's in the commits themselves - you'd need to examine the commit and then interrogate Gitea over the API to do it.

I am aware of how to go about adding this to Gitea's protected branch stuff but I've not had time. If you're willing and understand what I've written in #8584 this could be a good PR.

Hi zeripath,

I meant the full name (display name). That info is readily available. A hook can then compare it to whatever is in the commits.

Met vriendelijke groet,
Sebastiaan Dammann

Van: zeripath notifications@github.com
Verzonden: Tuesday, November 12, 2019 11:48:24 PM
Aan: go-gitea/gitea gitea@noreply.github.com
CC: Sebastiaan Dammann sebastiaandammann@outlook.com; Mention mention@noreply.github.com
Onderwerp: Re: [go-gitea/gitea] Committer verification (#2770)

So Gitea won't be able to pass the committer name as a variable as that's in the commits themselves - you'd need to examine the commit and then interrogate Gitea over the API to do it.

I am aware of how to go about adding this to Gitea's protected branch stuff but I've not had time. If you're willing and understand what I've written in #8584https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgo-gitea%2Fgitea%2Fpull%2F8584&data=02%7C01%7C%7Cb27ef3dc361449a58b6308d767c26e2b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091957070836201&sdata=oQEKqkWdas4MVbq7SPMH2yZSRYqCMzuVmQt0HIwY7YY%3D&reserved=0 this could be a good PR.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fgo-gitea%2Fgitea%2Fissues%2F2770%3Femail_source%3Dnotifications%26email_token%3DAAK4FMIKZ2627BSLU4OKABLQTMXDRA5CNFSM4EAKXJRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOED4HD5I%23issuecomment-553153013&data=02%7C01%7C%7Cb27ef3dc361449a58b6308d767c26e2b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091957070846194&sdata=rE0ZbwEJO5aYiQ83ez%2BfPP0bX1s1KUQyuNWg2ivda2s%3D&reserved=0, or unsubscribehttps://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAK4FMJL52NJWLFTFGDJ5N3QTMXDRANCNFSM4EAKXJRA&data=02%7C01%7C%7Cb27ef3dc361449a58b6308d767c26e2b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637091957070856205&sdata=%2B%2BPx80dxK7xRo0aiVOT3MF2jQxqFEuOAXT5Bwoxo%2FME%3D&reserved=0.

Ah, I'd forgotten what this issue was asking for.

Yeah we don't put the full name or email address in the environment because we don't use it - however you can easily get that from the Gitea API with a sufficiently powerful token (if you need to override hide email address) at /api/v1/users/{user}

Yeah it's a little slow to have to send an API request but it's not overly long.

If I understand correct #9708 close this?
and I created a PR for docs update: #9793

Not entirely sure, but I think "Verified Committer" on comparison page in docs should have a tick for Gitea? https://docs.gitea.io/en-us/comparison/#code-management

I think this will be a "tick" when #10425 is merged @zeripath ?

I'm gonna make it "/" because if we're gonna say we do this I think we will need to do it properly.