+// Copyright 2025 The Gitea Authors. All rights reserved.

+// SPDX-License-Identifier: MIT

+

+package asymkey

+

+import (

+ "context"

+ "strings"

+

+ asymkey_model "code.gitea.io/gitea/models/asymkey"

+ "code.gitea.io/gitea/models/db"

+ user_model "code.gitea.io/gitea/models/user"

+ "code.gitea.io/gitea/modules/git"

+ "code.gitea.io/gitea/modules/log"

+ "code.gitea.io/gitea/modules/setting"

+

+ "github.com/ProtonMail/go-crypto/openpgp/packet"

+)

+

+// ParseCommitWithSignature check if signature is good against keystore.

+func ParseCommitWithSignature(ctx context.Context, c *git.Commit) *asymkey_model.CommitVerification {

+ var committer *user_model.User

+ if c.Committer != nil {

+ var err error

+ // Find Committer account

+ committer, err = user_model.GetUserByEmail(ctx, c.Committer.Email) // This finds the user by primary email or activated email so commit will not be valid if email is not

+ if err != nil { // Skipping not user for committer

+ committer = &user_model.User{

+ Name: c.Committer.Name,

+ Email: c.Committer.Email,

+ }

+ // We can expect this to often be an ErrUserNotExist. in the case

+ // it is not, however, it is important to log it.

+ if !user_model.IsErrUserNotExist(err) {

+ log.Error("GetUserByEmail: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.no_committer_account",

+ }

+ }

+ }

+ }

+

+ return ParseCommitWithSignatureCommitter(ctx, c, committer)

+}

+

+func ParseCommitWithSignatureCommitter(ctx context.Context, c *git.Commit, committer *user_model.User) *asymkey_model.CommitVerification {

+ // If no signature just report the committer

+ if c.Signature == nil {

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false, // Default value

+ Reason: "gpg.error.not_signed_commit", // Default value

+ }

+ }

+

+ // If this a SSH signature handle it differently

+ if strings.HasPrefix(c.Signature.Signature, "-----BEGIN SSH SIGNATURE-----") {

+ return asymkey_model.ParseCommitWithSSHSignature(ctx, c, committer)

+ }

+

+ // Parsing signature

+ sig, err := asymkey_model.ExtractSignature(c.Signature.Signature)

+ if err != nil { // Skipping failed to extract sign

+ log.Error("SignatureRead err: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.extract_sign",

+ }

+ }

+

+ keyID := asymkey_model.TryGetKeyIDFromSignature(sig)

+ defaultReason := asymkey_model.NoKeyFound

+

+ // First check if the sig has a keyID and if so just look at that

+ if commitVerification := HashAndVerifyForKeyID(

+ ctx,

+ sig,

+ c.Signature.Payload,

+ committer,

+ keyID,

+ setting.AppName,

+ ""); commitVerification != nil {

+ if commitVerification.Reason == asymkey_model.BadSignature {

+ defaultReason = asymkey_model.BadSignature

+ } else {

+ return commitVerification

+ }

+ }

+

+ // Now try to associate the signature with the committer, if present

+ if committer.ID != 0 {

+ keys, err := db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{

+ OwnerID: committer.ID,

+ })

+ if err != nil { // Skipping failed to get gpg keys of user

+ log.Error("ListGPGKeys: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.failed_retrieval_gpg_keys",

+ }

+ }

+

+ if err := asymkey_model.GPGKeyList(keys).LoadSubKeys(ctx); err != nil {

+ log.Error("LoadSubKeys: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.failed_retrieval_gpg_keys",

+ }

+ }

+

+ committerEmailAddresses, _ := user_model.GetEmailAddresses(ctx, committer.ID)

+ activated := false

+ for _, e := range committerEmailAddresses {

+ if e.IsActivated && strings.EqualFold(e.Email, c.Committer.Email) {

+ activated = true

+ break

+ }

+ }

+

+ for _, k := range keys {

+ // Pre-check (& optimization) that emails attached to key can be attached to the committer email and can validate

+ canValidate := false

+ email := ""

+ if k.Verified && activated {

+ canValidate = true

+ email = c.Committer.Email

+ }

+ if !canValidate {

+ for _, e := range k.Emails {

+ if e.IsActivated && strings.EqualFold(e.Email, c.Committer.Email) {

+ canValidate = true

+ email = e.Email

+ break

+ }

+ }

+ }

+ if !canValidate {

+ continue // Skip this key

+ }

+

+ commitVerification := asymkey_model.HashAndVerifyWithSubKeysCommitVerification(sig, c.Signature.Payload, k, committer, committer, email)

+ if commitVerification != nil {

+ return commitVerification

+ }

+ }

+ }

+

+ if setting.Repository.Signing.SigningKey != "" && setting.Repository.Signing.SigningKey != "default" && setting.Repository.Signing.SigningKey != "none" {

+ // OK we should try the default key

+ gpgSettings := git.GPGSettings{

+ Sign: true,

+ KeyID: setting.Repository.Signing.SigningKey,

+ Name: setting.Repository.Signing.SigningName,

+ Email: setting.Repository.Signing.SigningEmail,

+ }

+ if err := gpgSettings.LoadPublicKeyContent(); err != nil {

+ log.Error("Error getting default signing key: %s %v", gpgSettings.KeyID, err)

+ } else if commitVerification := VerifyWithGPGSettings(ctx, &gpgSettings, sig, c.Signature.Payload, committer, keyID); commitVerification != nil {

+ if commitVerification.Reason == asymkey_model.BadSignature {

+ defaultReason = asymkey_model.BadSignature

+ } else {

+ return commitVerification

+ }

+ }

+ }

+

+ defaultGPGSettings, err := c.GetRepositoryDefaultPublicGPGKey(false)

+ if err != nil {

+ log.Error("Error getting default public gpg key: %v", err)

+ } else if defaultGPGSettings == nil {

+ log.Warn("Unable to get defaultGPGSettings for unattached commit: %s", c.ID.String())

+ } else if defaultGPGSettings.Sign {

+ if commitVerification := VerifyWithGPGSettings(ctx, defaultGPGSettings, sig, c.Signature.Payload, committer, keyID); commitVerification != nil {

+ if commitVerification.Reason == asymkey_model.BadSignature {

+ defaultReason = asymkey_model.BadSignature

+ } else {

+ return commitVerification

+ }

+ }

+ }

+

+ return &asymkey_model.CommitVerification{ // Default at this stage

+ CommittingUser: committer,

+ Verified: false,

+ Warning: defaultReason != asymkey_model.NoKeyFound,

+ Reason: defaultReason,

+ SigningKey: &asymkey_model.GPGKey{

+ KeyID: keyID,

+ },

+ }

+}

+

+func checkKeyEmails(ctx context.Context, email string, keys ...*asymkey_model.GPGKey) (bool, string) {

+ uid := int64(0)

+ var userEmails []*user_model.EmailAddress

+ var user *user_model.User

+ for _, key := range keys {

+ for _, e := range key.Emails {

+ if e.IsActivated && (email == "" || strings.EqualFold(e.Email, email)) {

+ return true, e.Email

+ }

+ }

+ if key.Verified && key.OwnerID != 0 {

+ if uid != key.OwnerID {

+ userEmails, _ = user_model.GetEmailAddresses(ctx, key.OwnerID)

+ uid = key.OwnerID

+ user = &user_model.User{ID: uid}

+ _, _ = user_model.GetUser(ctx, user)

+ }

+ for _, e := range userEmails {

+ if e.IsActivated && (email == "" || strings.EqualFold(e.Email, email)) {

+ return true, e.Email

+ }

+ }

+ if user.KeepEmailPrivate && strings.EqualFold(email, user.GetEmail()) {

+ return true, user.GetEmail()

+ }

+ }

+ }

+ return false, email

+}

+

+func HashAndVerifyForKeyID(ctx context.Context, sig *packet.Signature, payload string, committer *user_model.User, keyID, name, email string) *asymkey_model.CommitVerification {

+ if keyID == "" {

+ return nil

+ }

+ keys, err := db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{

+ KeyID: keyID,

+ IncludeSubKeys: true,

+ })

+ if err != nil {

+ log.Error("GetGPGKeysByKeyID: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.failed_retrieval_gpg_keys",

+ }

+ }

+ if len(keys) == 0 {

+ return nil

+ }

+ for _, key := range keys {

+ var primaryKeys []*asymkey_model.GPGKey

+ if key.PrimaryKeyID != "" {

+ primaryKeys, err = db.Find[asymkey_model.GPGKey](ctx, asymkey_model.FindGPGKeyOptions{

+ KeyID: key.PrimaryKeyID,

+ IncludeSubKeys: true,

+ })

+ if err != nil {

+ log.Error("GetGPGKeysByKeyID: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.failed_retrieval_gpg_keys",

+ }

+ }

+ }

+

+ activated, email := checkKeyEmails(ctx, email, append([]*asymkey_model.GPGKey{key}, primaryKeys...)...)

+ if !activated {

+ continue

+ }

+

+ signer := &user_model.User{

+ Name: name,

+ Email: email,

+ }

+ if key.OwnerID != 0 {

+ owner, err := user_model.GetUserByID(ctx, key.OwnerID)

+ if err == nil {

+ signer = owner

+ } else if !user_model.IsErrUserNotExist(err) {

+ log.Error("Failed to user_model.GetUserByID: %d for key ID: %d (%s) %v", key.OwnerID, key.ID, key.KeyID, err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.no_committer_account",

+ }

+ }

+ }

+ commitVerification := asymkey_model.HashAndVerifyWithSubKeysCommitVerification(sig, payload, key, committer, signer, email)

+ if commitVerification != nil {

+ return commitVerification

+ }

+ }

+ // This is a bad situation ... We have a key id that is in our database but the signature doesn't match.

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Warning: true,

+ Reason: asymkey_model.BadSignature,

+ }

+}

+

+func VerifyWithGPGSettings(ctx context.Context, gpgSettings *git.GPGSettings, sig *packet.Signature, payload string, committer *user_model.User, keyID string) *asymkey_model.CommitVerification {

+ // First try to find the key in the db

+ if commitVerification := HashAndVerifyForKeyID(ctx, sig, payload, committer, gpgSettings.KeyID, gpgSettings.Name, gpgSettings.Email); commitVerification != nil {

+ return commitVerification

+ }

+

+ // Otherwise we have to parse the key

+ ekeys, err := asymkey_model.CheckArmoredGPGKeyString(gpgSettings.PublicKeyContent)

+ if err != nil {

+ log.Error("Unable to get default signing key: %v", err)

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.generate_hash",

+ }

+ }

+ for _, ekey := range ekeys {

+ pubkey := ekey.PrimaryKey

+ content, err := asymkey_model.Base64EncPubKey(pubkey)

+ if err != nil {

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.generate_hash",

+ }

+ }

+ k := &asymkey_model.GPGKey{

+ Content: content,

+ CanSign: pubkey.CanSign(),

+ KeyID: pubkey.KeyIdString(),

+ }

+ for _, subKey := range ekey.Subkeys {

+ content, err := asymkey_model.Base64EncPubKey(subKey.PublicKey)

+ if err != nil {

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Reason: "gpg.error.generate_hash",

+ }

+ }

+ k.SubsKey = append(k.SubsKey, &asymkey_model.GPGKey{

+ Content: content,

+ CanSign: subKey.PublicKey.CanSign(),

+ KeyID: subKey.PublicKey.KeyIdString(),

+ })

+ }

+ if commitVerification := asymkey_model.HashAndVerifyWithSubKeysCommitVerification(sig, payload, k, committer, &user_model.User{

+ Name: gpgSettings.Name,

+ Email: gpgSettings.Email,

+ }, gpgSettings.Email); commitVerification != nil {

+ return commitVerification

+ }

+ if keyID == k.KeyID {

+ // This is a bad situation ... We have a key id that matches our default key but the signature doesn't match.

+ return &asymkey_model.CommitVerification{

+ CommittingUser: committer,

+ Verified: false,

+ Warning: true,

+ Reason: asymkey_model.BadSignature,

+ }

+ }

+ }

+ return nil

+}

+ verification := ParseCommitWithSignature(ctx, commit)

+ verification := ParseCommitWithSignature(ctx, commit)

+ verification := ParseCommitWithSignature(ctx, commit)

+ verification := ParseCommitWithSignature(ctx, commit)

+ verification := ParseCommitWithSignature(ctx, commit)

+ verification := ParseCommitWithSignature(ctx, commit)

+ asymkey_service "code.gitea.io/gitea/services/asymkey"

+ verif := asymkey_service.ParseCommitWithSignature(ctx, c)

+// Copyright 2025 The Gitea Authors. All rights reserved.

+// SPDX-License-Identifier: MIT

+

+package git

+

+import (

+ "context"

+

+ asymkey_model "code.gitea.io/gitea/models/asymkey"

+ "code.gitea.io/gitea/models/db"

+ git_model "code.gitea.io/gitea/models/git"

+ repo_model "code.gitea.io/gitea/models/repo"

+ user_model "code.gitea.io/gitea/models/user"

+ "code.gitea.io/gitea/modules/container"

+ "code.gitea.io/gitea/modules/git"

+ asymkey_service "code.gitea.io/gitea/services/asymkey"

+)

+

+// ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys.

+func ParseCommitsWithSignature(ctx context.Context, oldCommits []*user_model.UserCommit, repoTrustModel repo_model.TrustModelType, isOwnerMemberCollaborator func(*user_model.User) (bool, error)) ([]*asymkey_model.SignCommit, error) {

+ newCommits := make([]*asymkey_model.SignCommit, 0, len(oldCommits))

+ keyMap := map[string]bool{}

+

+ emails := make(container.Set[string])

+ for _, c := range oldCommits {

+ if c.Committer != nil {

+ emails.Add(c.Committer.Email)

+ }

+ }

+

+ emailUsers, err := user_model.GetUsersByEmails(ctx, emails.Values())

+ if err != nil {

+ return nil, err

+ }

+

+ for _, c := range oldCommits {

+ committer, ok := emailUsers[c.Committer.Email]

+ if !ok && c.Committer != nil {

+ committer = &user_model.User{

+ Name: c.Committer.Name,

+ Email: c.Committer.Email,

+ }

+ }

+

+ signCommit := &asymkey_model.SignCommit{

+ UserCommit: c,

+ Verification: asymkey_service.ParseCommitWithSignatureCommitter(ctx, c.Commit, committer),

+ }

+

+ _ = asymkey_model.CalculateTrustStatus(signCommit.Verification, repoTrustModel, isOwnerMemberCollaborator, &keyMap)

+

+ newCommits = append(newCommits, signCommit)

+ }

+ return newCommits, nil

+}

+

+// ConvertFromGitCommit converts git commits into SignCommitWithStatuses

+func ConvertFromGitCommit(ctx context.Context, commits []*git.Commit, repo *repo_model.Repository) ([]*git_model.SignCommitWithStatuses, error) {

+ validatedCommits, err := user_model.ValidateCommitsWithEmails(ctx, commits)

+ if err != nil {

+ return nil, err

+ }

+ signedCommits, err := ParseCommitsWithSignature(

+ ctx,

+ validatedCommits,

+ repo.GetTrustModel(),

+ func(user *user_model.User) (bool, error) {

+ return repo_model.IsOwnerMemberCollaborator(ctx, repo, user.ID)

+ },

+ )

+ if err != nil {

+ return nil, err

+ }

+ return ParseCommitsWithStatus(ctx, signedCommits, repo)

+}

+

+// ParseCommitsWithStatus checks commits latest statuses and calculates its worst status state

+func ParseCommitsWithStatus(ctx context.Context, oldCommits []*asymkey_model.SignCommit, repo *repo_model.Repository) ([]*git_model.SignCommitWithStatuses, error) {

+ newCommits := make([]*git_model.SignCommitWithStatuses, 0, len(oldCommits))

+

+ for _, c := range oldCommits {

+ commit := &git_model.SignCommitWithStatuses{

+ SignCommit: c,

+ }

+ statuses, _, err := git_model.GetLatestCommitStatus(ctx, repo.ID, commit.ID.String(), db.ListOptions{})

+ if err != nil {

+ return nil, err

+ }

+

+ commit.Statuses = statuses

+ commit.Status = git_model.CalcCommitStatus(statuses)

+ newCommits = append(newCommits, commit)

+ }

+ return newCommits, nil

+}

+ "code.gitea.io/gitea/modules/gitrepo"

+ "code.gitea.io/gitea/modules/json"

+ git_service "code.gitea.io/gitea/services/git"

+

+// LoadCommentPushCommits Load push commits

+func LoadCommentPushCommits(ctx context.Context, c *issues_model.Comment) (err error) {

+ if c.Content == "" || c.Commits != nil || c.Type != issues_model.CommentTypePullRequestPush {

+ return nil

+ }

+

+ var data issues_model.PushActionContent

+ err = json.Unmarshal([]byte(c.Content), &data)

+ if err != nil {

+ return err

+ }

+

+ c.IsForcePush = data.IsForcePush

+

+ if c.IsForcePush {

+ if len(data.CommitIDs) != 2 {

+ return nil

+ }

+ c.OldCommit = data.CommitIDs[0]

+ c.NewCommit = data.CommitIDs[1]

+ } else {

+ gitRepo, closer, err := gitrepo.RepositoryFromContextOrOpen(ctx, c.Issue.Repo)

+ if err != nil {

+ return err

+ }

+ defer closer.Close()

+

+ c.Commits, err = git_service.ConvertFromGitCommit(ctx, gitRepo.GetCommitsFromIDs(data.CommitIDs), c.Issue.Repo)

+ if err != nil {

+ return err

+ }

+ c.CommitsNum = int64(len(c.Commits))

+ }

+

+ return err

+}

+ issue_service "code.gitea.io/gitea/services/issue"

+ if err := issue_service.LoadCommentPushCommits(ctx, comment); err != nil {

+ asymkey_service "code.gitea.io/gitea/services/asymkey"

+ commitVerification := asymkey_service.ParseCommitWithSignature(ctx, commit)

+ asymkey_service "code.gitea.io/gitea/services/asymkey"

+ c.Verification = asymkey_service.ParseCommitWithSignature(ctx, c.Commit)