11 files changed, 81 insertions, 35 deletions
diff --git a/modules/auth/repo_form.go b/modules/auth/repo_form.go
index 3ad57085b0..f1130f372b 100644
--- a/modules/auth/repo_form.go
+++ b/modules/auth/repo_form.go
@@ -45,6 +45,7 @@ type CreateRepoForm struct {
 	Webhooks     bool
 	Avatar       bool
 	Labels       bool
+	TrustModel   string
 }
 
 // Validate validates the fields
@@ -142,6 +143,9 @@ type RepoSettingForm struct {
 	EnableIssueDependencies          bool
 	IsArchived                       bool
 
+	// Signing Settings
+	TrustModel string
+
 	// Admin settings
 	EnableHealthCheck                     bool
 	EnableCloseIssuesViaCommitInAnyBranch bool
diff --git a/modules/context/repo.go b/modules/context/repo.go
index 2c77361460..cb2e60d263 100644
--- a/modules/context/repo.go
+++ b/modules/context/repo.go
@@ -114,7 +114,7 @@ func (r *Repository) CanCommitToBranch(doer *models.User) (CanCommitToBranchResu
 		requireSigned = protectedBranch.RequireSignedCommits
 	}
 
-	sign, keyID, err := r.Repository.SignCRUDAction(doer, r.Repository.RepoPath(), git.BranchPrefix+r.BranchName)
+	sign, keyID, _, err := r.Repository.SignCRUDAction(doer, r.Repository.RepoPath(), git.BranchPrefix+r.BranchName)
 
 	canCommit := r.CanEnableEditor() && userCanPush
 	if requireSigned {
diff --git a/modules/git/repo_tree.go b/modules/git/repo_tree.go
index a662aaab4f..57896318a7 100644
--- a/modules/git/repo_tree.go
+++ b/modules/git/repo_tree.go
@@ -62,7 +62,7 @@ type CommitTreeOpts struct {
 }
 
 // CommitTree creates a commit from a given tree id for the user with provided message
-func (repo *Repository) CommitTree(sig *Signature, tree *Tree, opts CommitTreeOpts) (SHA1, error) {
+func (repo *Repository) CommitTree(author *Signature, committer *Signature, tree *Tree, opts CommitTreeOpts) (SHA1, error) {
 	err := LoadGitVersion()
 	if err != nil {
 		return SHA1{}, err
@@ -72,11 +72,11 @@ func (repo *Repository) CommitTree(sig *Signature, tree *Tree, opts CommitTreeOp
 
 	// Because this may call hooks we should pass in the environment
 	env := append(os.Environ(),
-		"GIT_AUTHOR_NAME="+sig.Name,
-		"GIT_AUTHOR_EMAIL="+sig.Email,
+		"GIT_AUTHOR_NAME="+author.Name,
+		"GIT_AUTHOR_EMAIL="+author.Email,
 		"GIT_AUTHOR_DATE="+commitTimeStr,
-		"GIT_COMMITTER_NAME="+sig.Name,
-		"GIT_COMMITTER_EMAIL="+sig.Email,
+		"GIT_COMMITTER_NAME="+committer.Name,
+		"GIT_COMMITTER_EMAIL="+committer.Email,
 		"GIT_COMMITTER_DATE="+commitTimeStr,
 	)
 	cmd := NewCommand("commit-tree", tree.ID.String())
diff --git a/modules/repofiles/delete.go b/modules/repofiles/delete.go
index 2ffc75e7c8..8343776c47 100644
--- a/modules/repofiles/delete.go
+++ b/modules/repofiles/delete.go
@@ -67,7 +67,7 @@ func DeleteRepoFile(repo *models.Repository, doer *models.User, opts *DeleteRepo
 				}
 			}
 			if protectedBranch.RequireSignedCommits {
-				_, _, err := repo.SignCRUDAction(doer, repo.RepoPath(), opts.OldBranch)
+				_, _, _, err := repo.SignCRUDAction(doer, repo.RepoPath(), opts.OldBranch)
 				if err != nil {
 					if !models.IsErrWontSign(err) {
 						return nil, err
diff --git a/modules/repofiles/temp_repo.go b/modules/repofiles/temp_repo.go
index ec671a9322..e0d6c9fcb6 100644
--- a/modules/repofiles/temp_repo.go
+++ b/modules/repofiles/temp_repo.go
@@ -204,8 +204,6 @@ func (t *TemporaryUploadRepository) CommitTreeWithDate(author, committer *models
 		"GIT_AUTHOR_NAME="+authorSig.Name,
 		"GIT_AUTHOR_EMAIL="+authorSig.Email,
 		"GIT_AUTHOR_DATE="+authorDate.Format(time.RFC3339),
-		"GIT_COMMITTER_NAME="+committerSig.Name,
-		"GIT_COMMITTER_EMAIL="+committerSig.Email,
 		"GIT_COMMITTER_DATE="+committerDate.Format(time.RFC3339),
 	)
 
@@ -217,14 +215,32 @@ func (t *TemporaryUploadRepository) CommitTreeWithDate(author, committer *models
 
 	// Determine if we should sign
 	if git.CheckGitVersionConstraint(">= 1.7.9") == nil {
-		sign, keyID, _ := t.repo.SignCRUDAction(author, t.basePath, "HEAD")
+		sign, keyID, signer, _ := t.repo.SignCRUDAction(author, t.basePath, "HEAD")
 		if sign {
 			args = append(args, "-S"+keyID)
+			if t.repo.GetTrustModel() == models.CommitterTrustModel || t.repo.GetTrustModel() == models.CollaboratorCommitterTrustModel {
+				if committerSig.Name != authorSig.Name || committerSig.Email != authorSig.Email {
+					// Add trailers
+					_, _ = messageBytes.WriteString("\n")
+					_, _ = messageBytes.WriteString("Co-Authored-By: ")
+					_, _ = messageBytes.WriteString(committerSig.String())
+					_, _ = messageBytes.WriteString("\n")
+					_, _ = messageBytes.WriteString("Co-Committed-By: ")
+					_, _ = messageBytes.WriteString(committerSig.String())
+					_, _ = messageBytes.WriteString("\n")
+				}
+				committerSig = signer
+			}
 		} else if git.CheckGitVersionConstraint(">= 2.0.0") == nil {
 			args = append(args, "--no-gpg-sign")
 		}
 	}
 
+	env = append(env,
+		"GIT_COMMITTER_NAME="+committerSig.Name,
+		"GIT_COMMITTER_EMAIL="+committerSig.Email,
+	)
+
 	stdout := new(bytes.Buffer)
 	stderr := new(bytes.Buffer)
 	if err := git.NewCommand(args...).RunInDirTimeoutEnvFullPipeline(env, -1, t.basePath, stdout, stderr, messageBytes); err != nil {
diff --git a/modules/repofiles/update.go b/modules/repofiles/update.go
index dcb87ec92b..f7fa5f0289 100644
--- a/modules/repofiles/update.go
+++ b/modules/repofiles/update.go
@@ -161,7 +161,7 @@ func CreateOrUpdateRepoFile(repo *models.Repository, doer *models.User, opts *Up
 				}
 			}
 			if protectedBranch.RequireSignedCommits {
-				_, _, err := repo.SignCRUDAction(doer, repo.RepoPath(), opts.OldBranch)
+				_, _, _, err := repo.SignCRUDAction(doer, repo.RepoPath(), opts.OldBranch)
 				if err != nil {
 					if !models.IsErrWontSign(err) {
 						return nil, err
diff --git a/modules/repository/create.go b/modules/repository/create.go
index abbec05a37..c180b9b948 100644
--- a/modules/repository/create.go
+++ b/modules/repository/create.go
@@ -41,6 +41,7 @@ func CreateRepository(doer, u *models.User, opts models.CreateRepoOptions) (_ *m
 		CloseIssuesViaCommitInAnyBranch: setting.Repository.DefaultCloseIssuesViaCommitsInAnyBranch,
 		Status:                          opts.Status,
 		IsEmpty:                         !opts.AutoInit,
+		TrustModel:                      opts.TrustModel,
 	}
 
 	err = models.WithTx(func(ctx models.DBContext) error {
diff --git a/modules/repository/generate.go b/modules/repository/generate.go
index c5fb0af383..1314464a6e 100644
--- a/modules/repository/generate.go
+++ b/modules/repository/generate.go
@@ -243,6 +243,7 @@ func GenerateRepository(ctx models.DBContext, doer, owner *models.User, template
 		IsEmpty:       !opts.GitContent || templateRepo.IsEmpty,
 		IsFsckEnabled: templateRepo.IsFsckEnabled,
 		TemplateID:    templateRepo.ID,
+		TrustModel:    templateRepo.TrustModel,
 	}
 
 	if err = models.CreateRepository(ctx, doer, owner, generateRepo); err != nil {
diff --git a/modules/repository/init.go b/modules/repository/init.go
index c2038e18d4..d066544a85 100644
--- a/modules/repository/init.go
+++ b/modules/repository/init.go
@@ -109,10 +109,10 @@ func initRepoCommit(tmpPath string, repo *models.Repository, u *models.User, def
 		"GIT_AUTHOR_NAME="+sig.Name,
 		"GIT_AUTHOR_EMAIL="+sig.Email,
 		"GIT_AUTHOR_DATE="+commitTimeStr,
-		"GIT_COMMITTER_NAME="+sig.Name,
-		"GIT_COMMITTER_EMAIL="+sig.Email,
 		"GIT_COMMITTER_DATE="+commitTimeStr,
 	)
+	committerName := sig.Name
+	committerEmail := sig.Email
 
 	if stdout, err := git.NewCommand("add", "--all").
 		SetDescription(fmt.Sprintf("initRepoCommit (git add): %s", tmpPath)).
@@ -132,14 +132,25 @@ func initRepoCommit(tmpPath string, repo *models.Repository, u *models.User, def
 	}
 
 	if git.CheckGitVersionConstraint(">= 1.7.9") == nil {
-		sign, keyID, _ := models.SignInitialCommit(tmpPath, u)
+		sign, keyID, signer, _ := models.SignInitialCommit(tmpPath, u)
 		if sign {
 			args = append(args, "-S"+keyID)
+
+			if repo.GetTrustModel() == models.CommitterTrustModel || repo.GetTrustModel() == models.CollaboratorCommitterTrustModel {
+				// need to set the committer to the KeyID owner
+				committerName = signer.Name
+				committerEmail = signer.Email
+			}
 		} else if git.CheckGitVersionConstraint(">= 2.0.0") == nil {
 			args = append(args, "--no-gpg-sign")
 		}
 	}
 
+	env = append(env,
+		"GIT_COMMITTER_NAME="+committerName,
+		"GIT_COMMITTER_EMAIL="+committerEmail,
+	)
+
 	if stdout, err := git.NewCommand(args...).
 		SetDescription(fmt.Sprintf("initRepoCommit (git commit): %s", tmpPath)).
 		RunInDirWithEnv(tmpPath, env); err != nil {
diff --git a/modules/setting/repository.go b/modules/setting/repository.go
index eb1501d7b8..67dd805353 100644
--- a/modules/setting/repository.go
+++ b/modules/setting/repository.go
@@ -83,13 +83,14 @@ var (
 		} `ini:"repository.issue"`
 
 		Signing struct {
-			SigningKey    string
-			SigningName   string
-			SigningEmail  string
-			InitialCommit []string
-			CRUDActions   []string `ini:"CRUD_ACTIONS"`
-			Merges        []string
-			Wiki          []string
+			SigningKey        string
+			SigningName       string
+			SigningEmail      string
+			InitialCommit     []string
+			CRUDActions       []string `ini:"CRUD_ACTIONS"`
+			Merges            []string
+			Wiki              []string
+			DefaultTrustModel string
 		} `ini:"repository.signing"`
 	}{
 		DetectedCharsetsOrder: []string{
@@ -209,21 +210,23 @@ var (
 
 		// Signing settings
 		Signing: struct {
-			SigningKey    string
-			SigningName   string
-			SigningEmail  string
-			InitialCommit []string
-			CRUDActions   []string `ini:"CRUD_ACTIONS"`
-			Merges        []string
-			Wiki          []string
+			SigningKey        string
+			SigningName       string
+			SigningEmail      string
+			InitialCommit     []string
+			CRUDActions       []string `ini:"CRUD_ACTIONS"`
+			Merges            []string
+			Wiki              []string
+			DefaultTrustModel string
 		}{
-			SigningKey:    "default",
-			SigningName:   "",
-			SigningEmail:  "",
-			InitialCommit: []string{"always"},
-			CRUDActions:   []string{"pubkey", "twofa", "parentsigned"},
-			Merges:        []string{"pubkey", "twofa", "basesigned", "commitssigned"},
-			Wiki:          []string{"never"},
+			SigningKey:        "default",
+			SigningName:       "",
+			SigningEmail:      "",
+			InitialCommit:     []string{"always"},
+			CRUDActions:       []string{"pubkey", "twofa", "parentsigned"},
+			Merges:            []string{"pubkey", "twofa", "basesigned", "commitssigned"},
+			Wiki:              []string{"never"},
+			DefaultTrustModel: "collaborator",
 		},
 	}
 	RepoRootPath string
@@ -268,6 +271,13 @@ func newRepository() {
 		log.Fatal("Failed to map Repository.PullRequest settings: %v", err)
 	}
 
+	// Handle default trustmodel settings
+	Repository.Signing.DefaultTrustModel = strings.ToLower(strings.TrimSpace(Repository.Signing.DefaultTrustModel))
+	if Repository.Signing.DefaultTrustModel == "default" {
+		Repository.Signing.DefaultTrustModel = "collaborator"
+	}
+
+	// Handle preferred charset orders
 	preferred := make([]string, 0, len(Repository.DetectedCharsetsOrder))
 	for _, charset := range Repository.DetectedCharsetsOrder {
 		canonicalCharset := strings.ToLower(strings.TrimSpace(charset))
diff --git a/modules/structs/repo.go b/modules/structs/repo.go
index c57702b282..c86b19dfd0 100644
--- a/modules/structs/repo.go
+++ b/modules/structs/repo.go
@@ -117,6 +117,9 @@ type CreateRepoOption struct {
 	Readme string `json:"readme"`
 	// DefaultBranch of the repository (used when initializes and in template)
 	DefaultBranch string `json:"default_branch" binding:"GitRefName;MaxSize(100)"`
+	// TrustModel of the repository
+	// enum: default,collaborator,committer,collaboratorcommitter
+	TrustModel string `json:"trust_model"`
 }
 
 // EditRepoOption options when editing a repository's properties