12 files changed, 259 insertions, 107 deletions

diff --git a/services/asymkey/commit.go b/services/asymkey/commit.go
index 105782a93a..148f51fd10 100644
--- a/services/asymkey/commit.go
+++ b/services/asymkey/commit.go
@@ -6,6 +6,7 @@ package asymkey
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
@@ -359,24 +360,39 @@ func VerifyWithGPGSettings(ctx context.Context, gpgSettings *git.GPGSettings, si
 	return nil
 }
 
+func verifySSHCommitVerificationByInstanceKey(c *git.Commit, committerUser, signerUser *user_model.User, committerGitEmail, publicKeyContent string) *asymkey_model.CommitVerification {
+	fingerprint, err := asymkey_model.CalcFingerprint(publicKeyContent)
+	if err != nil {
+		log.Error("Error calculating the fingerprint public key %q, err: %v", publicKeyContent, err)
+		return nil
+	}
+	sshPubKey := &asymkey_model.PublicKey{
+		Verified:    true,
+		Content:     publicKeyContent,
+		Fingerprint: fingerprint,
+		HasUsed:     true,
+	}
+	return verifySSHCommitVerification(c.Signature.Signature, c.Signature.Payload, sshPubKey, committerUser, signerUser, committerGitEmail)
+}
+
 // ParseCommitWithSSHSignature check if signature is good against keystore.
-func ParseCommitWithSSHSignature(ctx context.Context, c *git.Commit, committer *user_model.User) *asymkey_model.CommitVerification {
+func ParseCommitWithSSHSignature(ctx context.Context, c *git.Commit, committerUser *user_model.User) *asymkey_model.CommitVerification {
 	// Now try to associate the signature with the committer, if present
-	if committer.ID != 0 {
+	if committerUser.ID != 0 {
 		keys, err := db.Find[asymkey_model.PublicKey](ctx, asymkey_model.FindPublicKeyOptions{
-			OwnerID:    committer.ID,
+			OwnerID:    committerUser.ID,
 			NotKeytype: asymkey_model.KeyTypePrincipal,
 		})
 		if err != nil { // Skipping failed to get ssh keys of user
 			log.Error("ListPublicKeys: %v", err)
 			return &asymkey_model.CommitVerification{
-				CommittingUser: committer,
+				CommittingUser: committerUser,
 				Verified:       false,
 				Reason:         "gpg.error.failed_retrieval_gpg_keys",
 			}
 		}
 
-		committerEmailAddresses, err := cache.GetWithContextCache(ctx, cachegroup.UserEmailAddresses, committer.ID, user_model.GetEmailAddresses)
+		committerEmailAddresses, err := cache.GetWithContextCache(ctx, cachegroup.UserEmailAddresses, committerUser.ID, user_model.GetEmailAddresses)
 		if err != nil {
 			log.Error("GetEmailAddresses: %v", err)
 		}
@@ -391,7 +407,7 @@ func ParseCommitWithSSHSignature(ctx context.Context, c *git.Commit, committer *
 
 		for _, k := range keys {
 			if k.Verified && activated {
-				commitVerification := verifySSHCommitVerification(c.Signature.Signature, c.Signature.Payload, k, committer, committer, c.Committer.Email)
+				commitVerification := verifySSHCommitVerification(c.Signature.Signature, c.Signature.Payload, k, committerUser, committerUser, c.Committer.Email)
 				if commitVerification != nil {
 					return commitVerification
 				}
@@ -399,8 +415,45 @@ func ParseCommitWithSSHSignature(ctx context.Context, c *git.Commit, committer *
 		}
 	}
 
+	// Try the pre-set trusted keys (for key-rotation purpose)
+	// At the moment, we still use the SigningName&SigningEmail for the rotated keys.
+	// Maybe in the future we can extend the key format to "ssh-xxx .... old-user@example.com" to support different signer emails.
+	for _, k := range setting.Repository.Signing.TrustedSSHKeys {
+		signerUser := &user_model.User{
+			Name:  setting.Repository.Signing.SigningName,
+			Email: setting.Repository.Signing.SigningEmail,
+		}
+		commitVerification := verifySSHCommitVerificationByInstanceKey(c, committerUser, signerUser, c.Committer.Email, k)
+		if commitVerification != nil && commitVerification.Verified {
+			return commitVerification
+		}
+	}
+
+	// Try the configured instance-wide SSH public key
+	if setting.Repository.Signing.SigningFormat == git.SigningKeyFormatSSH && !slices.Contains([]string{"", "default", "none"}, setting.Repository.Signing.SigningKey) {
+		gpgSettings := git.GPGSettings{
+			Sign:   true,
+			KeyID:  setting.Repository.Signing.SigningKey,
+			Name:   setting.Repository.Signing.SigningName,
+			Email:  setting.Repository.Signing.SigningEmail,
+			Format: setting.Repository.Signing.SigningFormat,
+		}
+		signerUser := &user_model.User{
+			Name:  gpgSettings.Name,
+			Email: gpgSettings.Email,
+		}
+		if err := gpgSettings.LoadPublicKeyContent(); err != nil {
+			log.Error("Error getting instance-wide SSH signing key %q, err: %v", gpgSettings.KeyID, err)
+		} else {
+			commitVerification := verifySSHCommitVerificationByInstanceKey(c, committerUser, signerUser, gpgSettings.Email, gpgSettings.PublicKeyContent)
+			if commitVerification != nil && commitVerification.Verified {
+				return commitVerification
+			}
+		}
+	}
+
 	return &asymkey_model.CommitVerification{
-		CommittingUser: committer,
+		CommittingUser: committerUser,
 		Verified:       false,
 		Reason:         asymkey_model.NoKeyFound,
 	}
diff --git a/services/asymkey/commit_test.go b/services/asymkey/commit_test.go
new file mode 100644
index 0000000000..0438209a61
--- /dev/null
+++ b/services/asymkey/commit_test.go
@@ -0,0 +1,54 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package asymkey
+
+import (
+	"strings"
+	"testing"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseCommitWithSSHSignature(t *testing.T) {
+	// Here we only test the TrustedSSHKeys. The complete signing test is in tests/integration/gpg_ssh_git_test.go
+	t.Run("TrustedSSHKey", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "gitea")()
+		defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "gitea@fake.local")()
+		defer test.MockVariableValue(&setting.Repository.Signing.TrustedSSHKeys, []string{"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH6Y4idVaW3E+bLw1uqoAfJD7o5Siu+HqS51E9oQLPE9"})()
+
+		commit, err := git.CommitFromReader(nil, git.Sha1ObjectFormat.EmptyObjectID(), strings.NewReader(`tree 9a93ffa76e8b72bdb6431910b3a506fa2b39f42e
+author User Two <user2@example.com> 1749230009 +0200
+committer User Two <user2@example.com> 1749230009 +0200
+gpgsig -----BEGIN SSH SIGNATURE-----
+ U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgfpjiJ1VpbcT5svDW6qgB8kPujl
+ KK74epLnUT2hAs8T0AAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
+ AAAAQDX2t2iHuuLxEWHLJetYXKsgayv3c43r0pJNfAzdLN55Q65pC5M7rG6++gT2bxcpOu
+ Y6EXbpLqia9sunEF3+LQY=
+ -----END SSH SIGNATURE-----
+
+Initial commit with signed file
+`))
+		require.NoError(t, err)
+		committingUser := &user_model.User{
+			ID:    2,
+			Name:  "User Two",
+			Email: "user2@example.com",
+		}
+		ret := ParseCommitWithSSHSignature(t.Context(), commit, committingUser)
+		require.NotNil(t, ret)
+		assert.True(t, ret.Verified)
+		assert.False(t, ret.Warning)
+		assert.Equal(t, committingUser, ret.CommittingUser)
+		if assert.NotNil(t, ret.SigningUser) {
+			assert.Equal(t, "gitea", ret.SigningUser.Name)
+			assert.Equal(t, "gitea@fake.local", ret.SigningUser.Email)
+		}
+	})
+}
diff --git a/services/asymkey/sign.go b/services/asymkey/sign.go
index 2216bca54a..f94462ea46 100644
--- a/services/asymkey/sign.go
+++ b/services/asymkey/sign.go
@@ -6,6 +6,7 @@ package asymkey
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 
 	asymkey_model "code.gitea.io/gitea/models/asymkey"
@@ -85,9 +86,9 @@ func IsErrWontSign(err error) bool {
 }
 
 // SigningKey returns the KeyID and git Signature for the repo
-func SigningKey(ctx context.Context, repoPath string) (string, *git.Signature) {
+func SigningKey(ctx context.Context, repoPath string) (*git.SigningKey, *git.Signature) {
 	if setting.Repository.Signing.SigningKey == "none" {
-		return "", nil
+		return nil, nil
 	}
 
 	if setting.Repository.Signing.SigningKey == "default" || setting.Repository.Signing.SigningKey == "" {
@@ -95,53 +96,77 @@ func SigningKey(ctx context.Context, repoPath string) (string, *git.Signature) {
 		value, _, _ := git.NewCommand("config", "--get", "commit.gpgsign").RunStdString(ctx, &git.RunOpts{Dir: repoPath})
 		sign, valid := git.ParseBool(strings.TrimSpace(value))
 		if !sign || !valid {
-			return "", nil
+			return nil, nil
 		}
 
+		format, _, _ := git.NewCommand("config", "--default", git.SigningKeyFormatOpenPGP, "--get", "gpg.format").RunStdString(ctx, &git.RunOpts{Dir: repoPath})
 		signingKey, _, _ := git.NewCommand("config", "--get", "user.signingkey").RunStdString(ctx, &git.RunOpts{Dir: repoPath})
 		signingName, _, _ := git.NewCommand("config", "--get", "user.name").RunStdString(ctx, &git.RunOpts{Dir: repoPath})
 		signingEmail, _, _ := git.NewCommand("config", "--get", "user.email").RunStdString(ctx, &git.RunOpts{Dir: repoPath})
-		return strings.TrimSpace(signingKey), &git.Signature{
-			Name:  strings.TrimSpace(signingName),
-			Email: strings.TrimSpace(signingEmail),
+
+		if strings.TrimSpace(signingKey) == "" {
+			return nil, nil
 		}
+
+		return &git.SigningKey{
+				KeyID:  strings.TrimSpace(signingKey),
+				Format: strings.TrimSpace(format),
+			}, &git.Signature{
+				Name:  strings.TrimSpace(signingName),
+				Email: strings.TrimSpace(signingEmail),
+			}
 	}
 
-	return setting.Repository.Signing.SigningKey, &git.Signature{
-		Name:  setting.Repository.Signing.SigningName,
-		Email: setting.Repository.Signing.SigningEmail,
+	if setting.Repository.Signing.SigningKey == "" {
+		return nil, nil
 	}
+
+	return &git.SigningKey{
+			KeyID:  setting.Repository.Signing.SigningKey,
+			Format: setting.Repository.Signing.SigningFormat,
+		}, &git.Signature{
+			Name:  setting.Repository.Signing.SigningName,
+			Email: setting.Repository.Signing.SigningEmail,
+		}
 }
 
 // PublicSigningKey gets the public signing key within a provided repository directory
-func PublicSigningKey(ctx context.Context, repoPath string) (string, error) {
+func PublicSigningKey(ctx context.Context, repoPath string) (content, format string, err error) {
 	signingKey, _ := SigningKey(ctx, repoPath)
-	if signingKey == "" {
-		return "", nil
+	if signingKey == nil {
+		return "", "", nil
+	}
+	if signingKey.Format == git.SigningKeyFormatSSH {
+		content, err := os.ReadFile(signingKey.KeyID)
+		if err != nil {
+			log.Error("Unable to read SSH public key file in %s: %s, %v", repoPath, signingKey, err)
+			return "", signingKey.Format, err
+		}
+		return string(content), signingKey.Format, nil
 	}
 
 	content, stderr, err := process.GetManager().ExecDir(ctx, -1, repoPath,
-		"gpg --export -a", "gpg", "--export", "-a", signingKey)
+		"gpg --export -a", "gpg", "--export", "-a", signingKey.KeyID)
 	if err != nil {
 		log.Error("Unable to get default signing key in %s: %s, %s, %v", repoPath, signingKey, stderr, err)
-		return "", err
+		return "", signingKey.Format, err
 	}
-	return content, nil
+	return content, signingKey.Format, nil
 }
 
 // SignInitialCommit determines if we should sign the initial commit to this repository
-func SignInitialCommit(ctx context.Context, repoPath string, u *user_model.User) (bool, string, *git.Signature, error) {
+func SignInitialCommit(ctx context.Context, repoPath string, u *user_model.User) (bool, *git.SigningKey, *git.Signature, error) {
 	rules := signingModeFromStrings(setting.Repository.Signing.InitialCommit)
 	signingKey, sig := SigningKey(ctx, repoPath)
-	if signingKey == "" {
-		return false, "", nil, &ErrWontSign{noKey}
+	if signingKey == nil {
+		return false, nil, nil, &ErrWontSign{noKey}
 	}
 
 Loop:
 	for _, rule := range rules {
 		switch rule {
 		case never:
-			return false, "", nil, &ErrWontSign{never}
+			return false, nil, nil, &ErrWontSign{never}
 		case always:
 			break Loop
 		case pubkey:
@@ -150,18 +175,18 @@ Loop:
 				IncludeSubKeys: true,
 			})
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if len(keys) == 0 {
-				return false, "", nil, &ErrWontSign{pubkey}
+				return false, nil, nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
 			twofaModel, err := auth.GetTwoFactorByUID(ctx, u.ID)
 			if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if twofaModel == nil {
-				return false, "", nil, &ErrWontSign{twofa}
+				return false, nil, nil, &ErrWontSign{twofa}
 			}
 		}
 	}
@@ -169,19 +194,19 @@ Loop:
 }
 
 // SignWikiCommit determines if we should sign the commits to this repository wiki
-func SignWikiCommit(ctx context.Context, repo *repo_model.Repository, u *user_model.User) (bool, string, *git.Signature, error) {
+func SignWikiCommit(ctx context.Context, repo *repo_model.Repository, u *user_model.User) (bool, *git.SigningKey, *git.Signature, error) {
 	repoWikiPath := repo.WikiPath()
 	rules := signingModeFromStrings(setting.Repository.Signing.Wiki)
 	signingKey, sig := SigningKey(ctx, repoWikiPath)
-	if signingKey == "" {
-		return false, "", nil, &ErrWontSign{noKey}
+	if signingKey == nil {
+		return false, nil, nil, &ErrWontSign{noKey}
 	}
 
 Loop:
 	for _, rule := range rules {
 		switch rule {
 		case never:
-			return false, "", nil, &ErrWontSign{never}
+			return false, nil, nil, &ErrWontSign{never}
 		case always:
 			break Loop
 		case pubkey:
@@ -190,35 +215,35 @@ Loop:
 				IncludeSubKeys: true,
 			})
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if len(keys) == 0 {
-				return false, "", nil, &ErrWontSign{pubkey}
+				return false, nil, nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
 			twofaModel, err := auth.GetTwoFactorByUID(ctx, u.ID)
 			if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if twofaModel == nil {
-				return false, "", nil, &ErrWontSign{twofa}
+				return false, nil, nil, &ErrWontSign{twofa}
 			}
 		case parentSigned:
 			gitRepo, err := gitrepo.OpenRepository(ctx, repo.WikiStorageRepo())
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			defer gitRepo.Close()
 			commit, err := gitRepo.GetCommit("HEAD")
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if commit.Signature == nil {
-				return false, "", nil, &ErrWontSign{parentSigned}
+				return false, nil, nil, &ErrWontSign{parentSigned}
 			}
 			verification := ParseCommitWithSignature(ctx, commit)
 			if !verification.Verified {
-				return false, "", nil, &ErrWontSign{parentSigned}
+				return false, nil, nil, &ErrWontSign{parentSigned}
 			}
 		}
 	}
@@ -226,18 +251,18 @@ Loop:
 }
 
 // SignCRUDAction determines if we should sign a CRUD commit to this repository
-func SignCRUDAction(ctx context.Context, repoPath string, u *user_model.User, tmpBasePath, parentCommit string) (bool, string, *git.Signature, error) {
+func SignCRUDAction(ctx context.Context, repoPath string, u *user_model.User, tmpBasePath, parentCommit string) (bool, *git.SigningKey, *git.Signature, error) {
 	rules := signingModeFromStrings(setting.Repository.Signing.CRUDActions)
 	signingKey, sig := SigningKey(ctx, repoPath)
-	if signingKey == "" {
-		return false, "", nil, &ErrWontSign{noKey}
+	if signingKey == nil {
+		return false, nil, nil, &ErrWontSign{noKey}
 	}
 
 Loop:
 	for _, rule := range rules {
 		switch rule {
 		case never:
-			return false, "", nil, &ErrWontSign{never}
+			return false, nil, nil, &ErrWontSign{never}
 		case always:
 			break Loop
 		case pubkey:
@@ -246,35 +271,35 @@ Loop:
 				IncludeSubKeys: true,
 			})
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if len(keys) == 0 {
-				return false, "", nil, &ErrWontSign{pubkey}
+				return false, nil, nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
 			twofaModel, err := auth.GetTwoFactorByUID(ctx, u.ID)
 			if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if twofaModel == nil {
-				return false, "", nil, &ErrWontSign{twofa}
+				return false, nil, nil, &ErrWontSign{twofa}
 			}
 		case parentSigned:
 			gitRepo, err := git.OpenRepository(ctx, tmpBasePath)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			defer gitRepo.Close()
 			commit, err := gitRepo.GetCommit(parentCommit)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if commit.Signature == nil {
-				return false, "", nil, &ErrWontSign{parentSigned}
+				return false, nil, nil, &ErrWontSign{parentSigned}
 			}
 			verification := ParseCommitWithSignature(ctx, commit)
 			if !verification.Verified {
-				return false, "", nil, &ErrWontSign{parentSigned}
+				return false, nil, nil, &ErrWontSign{parentSigned}
 			}
 		}
 	}
@@ -282,16 +307,16 @@ Loop:
 }
 
 // SignMerge determines if we should sign a PR merge commit to the base repository
-func SignMerge(ctx context.Context, pr *issues_model.PullRequest, u *user_model.User, tmpBasePath, baseCommit, headCommit string) (bool, string, *git.Signature, error) {
+func SignMerge(ctx context.Context, pr *issues_model.PullRequest, u *user_model.User, tmpBasePath, baseCommit, headCommit string) (bool, *git.SigningKey, *git.Signature, error) {
 	if err := pr.LoadBaseRepo(ctx); err != nil {
 		log.Error("Unable to get Base Repo for pull request")
-		return false, "", nil, err
+		return false, nil, nil, err
 	}
 	repo := pr.BaseRepo
 
 	signingKey, signer := SigningKey(ctx, repo.RepoPath())
-	if signingKey == "" {
-		return false, "", nil, &ErrWontSign{noKey}
+	if signingKey == nil {
+		return false, nil, nil, &ErrWontSign{noKey}
 	}
 	rules := signingModeFromStrings(setting.Repository.Signing.Merges)
 
@@ -302,7 +327,7 @@ Loop:
 	for _, rule := range rules {
 		switch rule {
 		case never:
-			return false, "", nil, &ErrWontSign{never}
+			return false, nil, nil, &ErrWontSign{never}
 		case always:
 			break Loop
 		case pubkey:
@@ -311,91 +336,91 @@ Loop:
 				IncludeSubKeys: true,
 			})
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if len(keys) == 0 {
-				return false, "", nil, &ErrWontSign{pubkey}
+				return false, nil, nil, &ErrWontSign{pubkey}
 			}
 		case twofa:
 			twofaModel, err := auth.GetTwoFactorByUID(ctx, u.ID)
 			if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if twofaModel == nil {
-				return false, "", nil, &ErrWontSign{twofa}
+				return false, nil, nil, &ErrWontSign{twofa}
 			}
 		case approved:
 			protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, pr.BaseBranch)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			if protectedBranch == nil {
-				return false, "", nil, &ErrWontSign{approved}
+				return false, nil, nil, &ErrWontSign{approved}
 			}
 			if issues_model.GetGrantedApprovalsCount(ctx, protectedBranch, pr) < 1 {
-				return false, "", nil, &ErrWontSign{approved}
+				return false, nil, nil, &ErrWontSign{approved}
 			}
 		case baseSigned:
 			if gitRepo == nil {
 				gitRepo, err = git.OpenRepository(ctx, tmpBasePath)
 				if err != nil {
-					return false, "", nil, err
+					return false, nil, nil, err
 				}
 				defer gitRepo.Close()
 			}
 			commit, err := gitRepo.GetCommit(baseCommit)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			verification := ParseCommitWithSignature(ctx, commit)
 			if !verification.Verified {
-				return false, "", nil, &ErrWontSign{baseSigned}
+				return false, nil, nil, &ErrWontSign{baseSigned}
 			}
 		case headSigned:
 			if gitRepo == nil {
 				gitRepo, err = git.OpenRepository(ctx, tmpBasePath)
 				if err != nil {
-					return false, "", nil, err
+					return false, nil, nil, err
 				}
 				defer gitRepo.Close()
 			}
 			commit, err := gitRepo.GetCommit(headCommit)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			verification := ParseCommitWithSignature(ctx, commit)
 			if !verification.Verified {
-				return false, "", nil, &ErrWontSign{headSigned}
+				return false, nil, nil, &ErrWontSign{headSigned}
 			}
 		case commitsSigned:
 			if gitRepo == nil {
 				gitRepo, err = git.OpenRepository(ctx, tmpBasePath)
 				if err != nil {
-					return false, "", nil, err
+					return false, nil, nil, err
 				}
 				defer gitRepo.Close()
 			}
 			commit, err := gitRepo.GetCommit(headCommit)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			verification := ParseCommitWithSignature(ctx, commit)
 			if !verification.Verified {
-				return false, "", nil, &ErrWontSign{commitsSigned}
+				return false, nil, nil, &ErrWontSign{commitsSigned}
 			}
 			// need to work out merge-base
 			mergeBaseCommit, _, err := gitRepo.GetMergeBase("", baseCommit, headCommit)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			commitList, err := commit.CommitsBeforeUntil(mergeBaseCommit)
 			if err != nil {
-				return false, "", nil, err
+				return false, nil, nil, err
 			}
 			for _, commit := range commitList {
 				verification := ParseCommitWithSignature(ctx, commit)
 				if !verification.Verified {
-					return false, "", nil, &ErrWontSign{commitsSigned}
+					return false, nil, nil, &ErrWontSign{commitsSigned}
 				}
 			}
 		}
diff --git a/services/context/repo.go b/services/context/repo.go
index 61841aa90b..32d54c88ff 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -101,7 +101,7 @@ type CanCommitToBranchResults struct {
 	UserCanPush       bool
 	RequireSigned     bool
 	WillSign          bool
-	SigningKey        string
+	SigningKey        *git.SigningKey
 	WontSignReason    string
 }
 
@@ -123,7 +123,8 @@ func (r *Repository) CanCommitToBranch(ctx context.Context, doer *user_model.Use
 
 	sign, keyID, _, err := asymkey_service.SignCRUDAction(ctx, r.Repository.RepoPath(), doer, r.Repository.RepoPath(), git.BranchPrefix+r.BranchName)
 
-	canCommit := r.CanEnableEditor(ctx, doer) && userCanPush
+	canEnableEditor := r.CanEnableEditor(ctx, doer)
+	canCommit := canEnableEditor && userCanPush
 	if requireSigned {
 		canCommit = canCommit && sign
 	}
@@ -139,7 +140,7 @@ func (r *Repository) CanCommitToBranch(ctx context.Context, doer *user_model.Use
 
 	return CanCommitToBranchResults{
 		CanCommitToBranch: canCommit,
-		EditorEnabled:     r.CanEnableEditor(ctx, doer),
+		EditorEnabled:     canEnableEditor,
 		UserCanPush:       userCanPush,
 		RequireSigned:     requireSigned,
 		WillSign:          sign,
diff --git a/services/convert/pull.go b/services/convert/pull.go
index 7798bebb08..8f9679f649 100644
--- a/services/convert/pull.go
+++ b/services/convert/pull.go
@@ -419,6 +419,9 @@ func ToAPIPullRequests(ctx context.Context, baseRepo *repo_model.Repository, prs
 		if baseBranch != nil {
 			apiPullRequest.Base.Sha = baseBranch.CommitID
 		}
+		if pr.HeadRepoID == pr.BaseRepoID {
+			apiPullRequest.Head.Repository = apiPullRequest.Base.Repository
+		}
 
 		// pull request head branch, both repository and branch could not exist
 		if pr.HeadRepo != nil {
@@ -431,22 +434,19 @@ func ToAPIPullRequests(ctx context.Context, baseRepo *repo_model.Repository, prs
 			if exist {
 				apiPullRequest.Head.Ref = pr.HeadBranch
 			}
+			if pr.HeadRepoID != pr.BaseRepoID {
+				p, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
+				if err != nil {
+					log.Error("GetUserRepoPermission[%d]: %v", pr.HeadRepoID, err)
+					p.AccessMode = perm.AccessModeNone
+				}
+				apiPullRequest.Head.Repository = ToRepo(ctx, pr.HeadRepo, p)
+			}
 		}
 		if apiPullRequest.Head.Ref == "" {
 			apiPullRequest.Head.Ref = pr.GetGitRefName()
 		}
 
-		if pr.HeadRepoID == pr.BaseRepoID {
-			apiPullRequest.Head.Repository = apiPullRequest.Base.Repository
-		} else {
-			p, err := access_model.GetUserRepoPermission(ctx, pr.HeadRepo, doer)
-			if err != nil {
-				log.Error("GetUserRepoPermission[%d]: %v", pr.HeadRepoID, err)
-				p.AccessMode = perm.AccessModeNone
-			}
-			apiPullRequest.Head.Repository = ToRepo(ctx, pr.HeadRepo, p)
-		}
-
 		if pr.Flow == issues_model.PullRequestFlowAGit {
 			apiPullRequest.Head.Name = ""
 		}
diff --git a/services/convert/pull_test.go b/services/convert/pull_test.go
index cd86283c8a..dfbe24d184 100644
--- a/services/convert/pull_test.go
+++ b/services/convert/pull_test.go
@@ -46,4 +46,11 @@ func TestPullRequest_APIFormat(t *testing.T) {
 	assert.NotNil(t, apiPullRequest)
 	assert.Nil(t, apiPullRequest.Head.Repository)
 	assert.EqualValues(t, -1, apiPullRequest.Head.RepoID)
+
+	apiPullRequests, err := ToAPIPullRequests(git.DefaultContext, pr.BaseRepo, []*issues_model.PullRequest{pr}, nil)
+	assert.NoError(t, err)
+	assert.Len(t, apiPullRequests, 1)
+	assert.NotNil(t, apiPullRequests[0])
+	assert.Nil(t, apiPullRequests[0].Head.Repository)
+	assert.EqualValues(t, -1, apiPullRequests[0].Head.RepoID)
 }
diff --git a/services/pull/merge.go b/services/pull/merge.go
index 829d4b7ee1..2a2f47e880 100644
--- a/services/pull/merge.go
+++ b/services/pull/merge.go
@@ -432,10 +432,13 @@ func doMergeAndPush(ctx context.Context, pr *issues_model.PullRequest, doer *use
 
 func commitAndSignNoAuthor(ctx *mergeContext, message string) error {
 	cmdCommit := git.NewCommand("commit").AddOptionFormat("--message=%s", message)
-	if ctx.signKeyID == "" {
+	if ctx.signKey == nil {
 		cmdCommit.AddArguments("--no-gpg-sign")
 	} else {
-		cmdCommit.AddOptionFormat("-S%s", ctx.signKeyID)
+		if ctx.signKey.Format != "" {
+			cmdCommit.AddConfig("gpg.format", ctx.signKey.Format)
+		}
+		cmdCommit.AddOptionFormat("-S%s", ctx.signKey.KeyID)
 	}
 	if err := cmdCommit.Run(ctx, ctx.RunOpts()); err != nil {
 		log.Error("git commit %-v: %v\n%s\n%s", ctx.pr, err, ctx.outbuf.String(), ctx.errbuf.String())
diff --git a/services/pull/merge_prepare.go b/services/pull/merge_prepare.go
index 719cc6b965..31a1e13734 100644
--- a/services/pull/merge_prepare.go
+++ b/services/pull/merge_prepare.go
@@ -27,7 +27,7 @@ type mergeContext struct {
 	doer      *user_model.User
 	sig       *git.Signature
 	committer *git.Signature
-	signKeyID string // empty for no-sign, non-empty to sign
+	signKey   *git.SigningKey
 	env       []string
 }
 
@@ -99,9 +99,9 @@ func createTemporaryRepoForMerge(ctx context.Context, pr *issues_model.PullReque
 	mergeCtx.committer = mergeCtx.sig
 
 	// Determine if we should sign
-	sign, keyID, signer, _ := asymkey_service.SignMerge(ctx, mergeCtx.pr, mergeCtx.doer, mergeCtx.tmpBasePath, "HEAD", trackingBranch)
+	sign, key, signer, _ := asymkey_service.SignMerge(ctx, mergeCtx.pr, mergeCtx.doer, mergeCtx.tmpBasePath, "HEAD", trackingBranch)
 	if sign {
-		mergeCtx.signKeyID = keyID
+		mergeCtx.signKey = key
 		if pr.BaseRepo.GetTrustModel() == repo_model.CommitterTrustModel || pr.BaseRepo.GetTrustModel() == repo_model.CollaboratorCommitterTrustModel {
 			mergeCtx.committer = signer
 		}
diff --git a/services/pull/merge_squash.go b/services/pull/merge_squash.go
index 119b28736c..0049c0b117 100644
--- a/services/pull/merge_squash.go
+++ b/services/pull/merge_squash.go
@@ -71,10 +71,13 @@ func doMergeStyleSquash(ctx *mergeContext, message string) error {
 	cmdCommit := git.NewCommand("commit").
 		AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email).
 		AddOptionFormat("--message=%s", message)
-	if ctx.signKeyID == "" {
+	if ctx.signKey == nil {
 		cmdCommit.AddArguments("--no-gpg-sign")
 	} else {
-		cmdCommit.AddOptionFormat("-S%s", ctx.signKeyID)
+		if ctx.signKey.Format != "" {
+			cmdCommit.AddConfig("gpg.format", ctx.signKey.Format)
+		}
+		cmdCommit.AddOptionFormat("-S%s", ctx.signKey.KeyID)
 	}
 	if err := cmdCommit.Run(ctx, ctx.RunOpts()); err != nil {
 		log.Error("git commit %-v: %v\n%s\n%s", ctx.pr, err, ctx.outbuf.String(), ctx.errbuf.String())
diff --git a/services/repository/files/temp_repo.go b/services/repository/files/temp_repo.go
index 493ff9998d..1cf30edc7b 100644
--- a/services/repository/files/temp_repo.go
+++ b/services/repository/files/temp_repo.go
@@ -293,15 +293,18 @@ func (t *TemporaryUploadRepository) CommitTree(ctx context.Context, opts *Commit
 	}
 
 	var sign bool
-	var keyID string
+	var key *git.SigningKey
 	var signer *git.Signature
 	if opts.ParentCommitID != "" {
-		sign, keyID, signer, _ = asymkey_service.SignCRUDAction(ctx, t.repo.RepoPath(), opts.DoerUser, t.basePath, opts.ParentCommitID)
+		sign, key, signer, _ = asymkey_service.SignCRUDAction(ctx, t.repo.RepoPath(), opts.DoerUser, t.basePath, opts.ParentCommitID)
 	} else {
-		sign, keyID, signer, _ = asymkey_service.SignInitialCommit(ctx, t.repo.RepoPath(), opts.DoerUser)
+		sign, key, signer, _ = asymkey_service.SignInitialCommit(ctx, t.repo.RepoPath(), opts.DoerUser)
 	}
 	if sign {
-		cmdCommitTree.AddOptionFormat("-S%s", keyID)
+		if key.Format != "" {
+			cmdCommitTree.AddConfig("gpg.format", key.Format)
+		}
+		cmdCommitTree.AddOptionFormat("-S%s", key.KeyID)
 		if t.repo.GetTrustModel() == repo_model.CommitterTrustModel || t.repo.GetTrustModel() == repo_model.CollaboratorCommitterTrustModel {
 			if committerSig.Name != authorSig.Name || committerSig.Email != authorSig.Email {
 				// Add trailers
diff --git a/services/repository/init.go b/services/repository/init.go
index bd777b8a2f..1eeeb4aa4f 100644
--- a/services/repository/init.go
+++ b/services/repository/init.go
@@ -42,9 +42,12 @@ func initRepoCommit(ctx context.Context, tmpPath string, repo *repo_model.Reposi
 	cmd := git.NewCommand("commit", "--message=Initial commit").
 		AddOptionFormat("--author='%s <%s>'", sig.Name, sig.Email)
 
-	sign, keyID, signer, _ := asymkey_service.SignInitialCommit(ctx, tmpPath, u)
+	sign, key, signer, _ := asymkey_service.SignInitialCommit(ctx, tmpPath, u)
 	if sign {
-		cmd.AddOptionFormat("-S%s", keyID)
+		if key.Format != "" {
+			cmd.AddConfig("gpg.format", key.Format)
+		}
+		cmd.AddOptionFormat("-S%s", key.KeyID)
 
 		if repo.GetTrustModel() == repo_model.CommitterTrustModel || repo.GetTrustModel() == repo_model.CollaboratorCommitterTrustModel {
 			// need to set the committer to the KeyID owner
diff --git a/services/wiki/wiki.go b/services/wiki/wiki.go
index 9405f7cfc8..0a955406e2 100644
--- a/services/wiki/wiki.go
+++ b/services/wiki/wiki.go
@@ -194,7 +194,7 @@ func updateWikiPage(ctx context.Context, doer *user_model.User, repo *repo_model
 
 	sign, signingKey, signer, _ := asymkey_service.SignWikiCommit(ctx, repo, doer)
 	if sign {
-		commitTreeOpts.KeyID = signingKey
+		commitTreeOpts.Key = signingKey
 		if repo.GetTrustModel() == repo_model.CommitterTrustModel || repo.GetTrustModel() == repo_model.CollaboratorCommitterTrustModel {
 			committer = signer
 		}
@@ -316,7 +316,7 @@ func DeleteWikiPage(ctx context.Context, doer *user_model.User, repo *repo_model
 
 	sign, signingKey, signer, _ := asymkey_service.SignWikiCommit(ctx, repo, doer)
 	if sign {
-		commitTreeOpts.KeyID = signingKey
+		commitTreeOpts.Key = signingKey
 		if repo.GetTrustModel() == repo_model.CommitterTrustModel || repo.GetTrustModel() == repo_model.CollaboratorCommitterTrustModel {
 			committer = signer
 		}