Gitea: Allow signed commits to be required

Created on 15 Jun 2018  路  14Comments  路  Source: go-gitea/gitea

GitHub allows protected branches to require signed commits. This is a blocking issue for adoption of Gitea by some projects.

kinfeature revieweconfirmed
Source
picture hlandau
👍2

Most helpful comment

There should be an option on protected branches like below:
image

picture lunny on 15 Jun 2018
👍17

All 14 comments

There should be an option on protected branches like below:
image

lunny picture lunny on 15 Jun 2018
👍17

It would be nice if we could also do this for releases/tags only. I don't think that signing every commit is necessary, but I want to enforce it for releases.

clarfonthey picture clarfonthey on 21 Jun 2018
👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

stale[bot] picture stale[bot] on 22 Jan 2019
👎2

Anyone wanting to tacle this? I could look into it, but only in about 4 weeks.

kolaente picture kolaente on 22 Jan 2019
👍7 🎉43

This feature seems like a no-brainer; could it be marked as confirmed so it doesn't become stale?

clarfonthey picture clarfonthey on 23 Mar 2019

No movement on this? Would anyone familiar with the relevant part of the Gitea codebase be interested in mentoring me on getting this implemented? I'm relatively new to Go, and would be happy to work on getting this feature implemented with a little bit of assistance.

dvn0 picture dvn0 on 16 Jul 2019

At first, you should add an option on protected branch page to add an option deny all commits no signed which default is unchecked.

Then you should change code on cmd/serv.go or cmd/hooks.go to test if the commit unsigned allowed on that branch.

lunny picture lunny on 16 Jul 2019
👍1

Any news on this?

djbrown picture djbrown on 18 Oct 2019

The idea is to add an option and check the signed commits on prereceive hook.

lunny picture lunny on 18 Oct 2019

This has only really become practicable since #7631 was merged.

It's not just a case of enforcing commits are signed - commits from merging PRs have to be signed and we need to indicate whether such a commit will be signed and likely indicate why it wouldn't be. We would need to add a block on attempting to merge a pr if it wouldn't be signed.

zeripath picture zeripath on 18 Oct 2019

What would be a good bounty to help speed development on this issue?

jamesponddotco picture jamesponddotco on 8 Jan 2020

Any bounty is good ;)

lafriks picture lafriks on 9 Jan 2020

Bounty posted:
https://www.bountysource.com/issues/59720659-allow-signed-commits-to-be-required

jamesponddotco picture jamesponddotco on 10 Jan 2020
👍1

OK so #9708 represents an implementation of this.

There are a couple of points to be made:

  • Depending on your server configuration you may not be able to merge PRs into your protected branch. (Remember these have to be signed too.)
  • Similarly, You may not be able merge CRUD actions into your protected branch.

There are few extension options which probably need discussion to see if there is interest:

  • Allow repo admin to push unsigned
  • Allow repo admin to merge unsigned
zeripath picture zeripath on 12 Jan 2020
🎉5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lunny picture lunny  路  3Comments
kifirkin picture kifirkin  路  3Comments
cookiengineer picture cookiengineer  路  3Comments
adpande picture adpande  路  3Comments
flozz picture flozz  路  3Comments