Merge pull request 'modules/git: Recognize SSH signed tags too' (#2520) from algernon/forgejo:ssh-exclamation-mark-one-one-exclamation-mark-space-key into forgejo

+4 -4

models/asymkey/ssh_key_commit_verification_test.go

··· 40 40 Committer: &git.Signature{ 41 41 Email: "non-existent", 42 42 }, 43 - Signature: &git.CommitGPGSignature{ 43 + Signature: &git.ObjectSignature{ 44 44 Payload: `tree 2d491b2985a7ff848d5c02748e7ea9f9f7619f9f 45 45 parent 45b03601635a1f463b81963a4022c7f87ce96ef9 46 46 author user2 <non-existent> 1699710556 +0100 ··· 67 67 Committer: &git.Signature{ 68 68 Email: "user2@example.com", 69 69 }, 70 - Signature: &git.CommitGPGSignature{ 70 + Signature: &git.ObjectSignature{ 71 71 Payload: `tree 853694aae8816094a0d875fee7ea26278dbf5d0f 72 72 parent c2780d5c313da2a947eae22efd7dacf4213f4e7f 73 73 author user2 <user2@example.com> 1699707877 +0100 ··· 89 89 Committer: &git.Signature{ 90 90 Email: "user2@example.com", 91 91 }, 92 - Signature: &git.CommitGPGSignature{ 92 + Signature: &git.ObjectSignature{ 93 93 Payload: `tree 853694aae8816094a0d875fee7ea26278dbf5d0f 94 94 parent c2780d5c313da2a947eae22efd7dacf4213f4e7f 95 95 author user2 <user2@example.com> 1699707877 +0100 ··· 120 120 Committer: &git.Signature{ 121 121 Email: "user2@noreply.example.com", 122 122 }, 123 - Signature: &git.CommitGPGSignature{ 123 + Signature: &git.ObjectSignature{ 124 124 Payload: `tree 4836c7f639f37388bab4050ef5c97bbbd54272fc 125 125 parent 795be1b0117ea5c65456050bb9fd84744d4fd9c6 126 126 author user2 <user2@noreply.example.com> 1699709594 +0100

+2

models/forgejo_migrations/migrate.go

··· 52 52 NewMigration("Add wiki_branch to repository", forgejo_v1_22.AddWikiBranchToRepository), 53 53 // v6 -> v7 54 54 NewMigration("Add enable_repo_unit_hints to the user table", forgejo_v1_22.AddUserRepoUnitHintsSetting), 55 + // v7 -> v8 56 + NewMigration("Remove SSH signatures from Release notes", forgejo_v1_22.RemoveSSHSignaturesFromReleaseNotes), 55 57 } 56 58 57 59 // GetCurrentDBVersion returns the current Forgejo database version.

+14

models/forgejo_migrations/v1_22/main_test.go

··· 1 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 + // SPDX-License-Identifier: MIT 3 + 4 + package v1_22 //nolint 5 + 6 + import ( 7 + "testing" 8 + 9 + "code.gitea.io/gitea/models/migrations/base" 10 + ) 11 + 12 + func TestMain(m *testing.M) { 13 + base.MainTest(m) 14 + }

+51

models/forgejo_migrations/v1_22/v8.go

··· 1 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 + // SPDX-License-Identifier: MIT 3 + 4 + package v1_22 //nolint 5 + 6 + import ( 7 + "strings" 8 + 9 + "xorm.io/xorm" 10 + ) 11 + 12 + func RemoveSSHSignaturesFromReleaseNotes(x *xorm.Engine) error { 13 + type Release struct { 14 + ID int64 `xorm:"pk autoincr"` 15 + Note string `xorm:"TEXT"` 16 + } 17 + 18 + if err := x.Sync(&Release{}); err != nil { 19 + return err 20 + } 21 + 22 + var releaseNotes []struct { 23 + ID int64 24 + Note string 25 + } 26 + 27 + if err := x.Table("release").Where("note LIKE '%-----BEGIN SSH SIGNATURE-----%'").Find(&releaseNotes); err != nil { 28 + return err 29 + } 30 + 31 + sess := x.NewSession() 32 + defer sess.Close() 33 + 34 + if err := sess.Begin(); err != nil { 35 + return err 36 + } 37 + 38 + for _, release := range releaseNotes { 39 + idx := strings.LastIndex(release.Note, "-----BEGIN SSH SIGNATURE-----") 40 + if idx == -1 { 41 + continue 42 + } 43 + release.Note = release.Note[:idx] 44 + _, err := sess.Exec("UPDATE `release` SET note = ? WHERE id = ?", release.Note, release.ID) 45 + if err != nil { 46 + return err 47 + } 48 + } 49 + 50 + return sess.Commit() 51 + }

+34

models/forgejo_migrations/v1_22/v8_test.go

··· 1 + // Copyright 2024 The Forgejo Authors. All rights reserved. 2 + // SPDX-License-Identifier: MIT 3 + 4 + package v1_22 //nolint 5 + 6 + import ( 7 + "testing" 8 + 9 + "code.gitea.io/gitea/models/migrations/base" 10 + 11 + "github.com/stretchr/testify/assert" 12 + ) 13 + 14 + func Test_RemoveSSHSignaturesFromReleaseNotes(t *testing.T) { 15 + // A reduced mock of the `repo_model.Release` struct. 16 + type Release struct { 17 + ID int64 `xorm:"pk autoincr"` 18 + Note string `xorm:"TEXT"` 19 + } 20 + 21 + x, deferable := base.PrepareTestEnv(t, 0, new(Release)) 22 + defer deferable() 23 + 24 + assert.NoError(t, RemoveSSHSignaturesFromReleaseNotes(x)) 25 + 26 + var releases []Release 27 + err := x.Table("release").OrderBy("id ASC").Find(&releases) 28 + assert.NoError(t, err) 29 + assert.Len(t, releases, 3) 30 + 31 + assert.Equal(t, "", releases[0].Note) 32 + assert.Equal(t, "A message.\n", releases[1].Note) 33 + assert.Equal(t, "no signature present here", releases[2].Note) 34 + }

+22

models/migrations/fixtures/Test_RemoveSSHSignaturesFromReleaseNotes/release.yml

··· 1 + # type Release struct { 2 + # ID int64 `xorm:"pk autoincr"` 3 + # Note string `xorm:"TEXT"` 4 + # } 5 + - 6 + id: 1 7 + note: | 8 + -----BEGIN SSH SIGNATURE----- 9 + some signature 10 + -----END SSH SIGNATURE----- 11 + 12 + - 13 + id: 2 14 + note: | 15 + A message. 16 + -----BEGIN SSH SIGNATURE----- 17 + some signature 18 + -----END SSH SIGNATURE----- 19 + 20 + - 21 + id: 3 22 + note: "no signature present here"

+1 -7

modules/git/commit.go

··· 25 25 Author *Signature 26 26 Committer *Signature 27 27 CommitMessage string 28 - Signature *CommitGPGSignature 28 + Signature *ObjectSignature 29 29 30 30 Parents []ObjectID // ID strings 31 31 submoduleCache *ObjectCache 32 - } 33 - 34 - // CommitGPGSignature represents a git commit signature part. 35 - type CommitGPGSignature struct { 36 - Signature string 37 - Payload string // TODO check if can be reconstruct from the rest of commit information to not have duplicate data 38 32 } 39 33 40 34 // Message returns the commit message. Same as retrieving CommitMessage directly.

+2 -2

modules/git/commit_convert_gogit.go

··· 13 13 "github.com/go-git/go-git/v5/plumbing/object" 14 14 ) 15 15 16 - func convertPGPSignature(c *object.Commit) *CommitGPGSignature { 16 + func convertPGPSignature(c *object.Commit) *ObjectSignature { 17 17 if c.PGPSignature == "" { 18 18 return nil 19 19 } ··· 51 51 return nil 52 52 } 53 53 54 - return &CommitGPGSignature{ 54 + return &ObjectSignature{ 55 55 Signature: c.PGPSignature, 56 56 Payload: w.String(), 57 57 }

+1 -1

modules/git/commit_reader.go

··· 97 97 } 98 98 } 99 99 commit.CommitMessage = messageSB.String() 100 - commit.Signature = &CommitGPGSignature{ 100 + commit.Signature = &ObjectSignature{ 101 101 Signature: signatureSB.String(), 102 102 Payload: payloadSB.String(), 103 103 }

+11

modules/git/object_signature.go

··· 1 + // Copyright 2015 The Gogs Authors. All rights reserved. 2 + // Copyright 2019 The Gitea Authors. All rights reserved. 3 + // SPDX-License-Identifier: MIT 4 + 5 + package git 6 + 7 + // ObjectSignature represents a git object (commit, tag) signature part. 8 + type ObjectSignature struct { 9 + Signature string 10 + Payload string // TODO check if can be reconstruct from the rest of commit information to not have duplicate data 11 + }

+8 -3

modules/git/repo_tag.go

··· 185 185 186 186 tag.Tagger = parseSignatureFromCommitLine(ref["creator"]) 187 187 tag.Message = ref["contents"] 188 - // strip PGP signature if present in contents field 188 + // strip the signature if present in contents field 189 189 pgpStart := strings.Index(tag.Message, beginpgp) 190 190 if pgpStart >= 0 { 191 191 tag.Message = tag.Message[0:pgpStart] 192 + } else { 193 + sshStart := strings.Index(tag.Message, beginssh) 194 + if sshStart >= 0 { 195 + tag.Message = tag.Message[0:sshStart] 196 + } 192 197 } 193 198 194 - // annotated tag with GPG signature 199 + // annotated tag with signature 195 200 if tag.Type == "tag" && ref["contents:signature"] != "" { 196 201 payload := fmt.Sprintf("object %s\ntype commit\ntag %s\ntagger %s\n\n%s\n", 197 202 tag.Object, tag.Name, ref["creator"], strings.TrimSpace(tag.Message)) 198 - tag.Signature = &CommitGPGSignature{ 203 + tag.Signature = &ObjectSignature{ 199 204 Signature: ref["contents:signature"], 200 205 Payload: payload, 201 206 }

+1 -1

modules/git/repo_tag_test.go

··· 315 315 Type: "tag", 316 316 Tagger: parseSignatureFromCommitLine("Foo Bar <foo@bar.com> 1565789218 +0300"), 317 317 Message: "Add changelog of v1.9.1 (#7859)\n\n* add changelog of v1.9.1\n* Update CHANGELOG.md", 318 - Signature: &CommitGPGSignature{ 318 + Signature: &ObjectSignature{ 319 319 Signature: `-----BEGIN PGP SIGNATURE----- 320 320 321 321 aBCGzBAABCgAdFiEEyWRwv/q1Q6IjSv+D4IPOwzt33PoFAmI8jbIACgkQ4IPOwzt3

+31 -10

modules/git/tag.go

··· 14 14 const ( 15 15 beginpgp = "\n-----BEGIN PGP SIGNATURE-----\n" 16 16 endpgp = "\n-----END PGP SIGNATURE-----" 17 + beginssh = "\n-----BEGIN SSH SIGNATURE-----\n" 18 + endssh = "\n-----END SSH SIGNATURE-----" 17 19 ) 18 20 19 21 // Tag represents a Git tag. ··· 24 26 Type string 25 27 Tagger *Signature 26 28 Message string 27 - Signature *CommitGPGSignature 29 + Signature *ObjectSignature 28 30 } 29 31 30 32 // Commit return the commit of the tag reference ··· 71 73 break l 72 74 } 73 75 } 74 - idx := strings.LastIndex(tag.Message, beginpgp) 75 - if idx > 0 { 76 - endSigIdx := strings.Index(tag.Message[idx:], endpgp) 77 - if endSigIdx > 0 { 78 - tag.Signature = &CommitGPGSignature{ 79 - Signature: tag.Message[idx+1 : idx+endSigIdx+len(endpgp)], 80 - Payload: string(data[:bytes.LastIndex(data, []byte(beginpgp))+1]), 81 - } 82 - tag.Message = tag.Message[:idx+1] 76 + 77 + extractTagSignature := func(signatureBeginMark, signatureEndMark string) (bool, *ObjectSignature, string) { 78 + idx := strings.LastIndex(tag.Message, signatureBeginMark) 79 + if idx == -1 { 80 + return false, nil, "" 81 + } 82 + 83 + endSigIdx := strings.Index(tag.Message[idx:], signatureEndMark) 84 + if endSigIdx == -1 { 85 + return false, nil, "" 83 86 } 87 + 88 + return true, &ObjectSignature{ 89 + Signature: tag.Message[idx+1 : idx+endSigIdx+len(signatureEndMark)], 90 + Payload: string(data[:bytes.LastIndex(data, []byte(signatureBeginMark))+1]), 91 + }, tag.Message[:idx+1] 84 92 } 93 + 94 + // Try to find an OpenPGP signature 95 + found, sig, message := extractTagSignature(beginpgp, endpgp) 96 + if !found { 97 + // If not found, try an SSH one 98 + found, sig, message = extractTagSignature(beginssh, endssh) 99 + } 100 + // If either is found, update the tag Signature and Message 101 + if found { 102 + tag.Signature = sig 103 + tag.Message = message 104 + } 105 + 85 106 return tag, nil 86 107 } 87 108

+35

modules/git/tag_test.go

··· 46 46 Message: "test message\no\n\nono", 47 47 Signature: nil, 48 48 }}, 49 + {data: []byte(`object d8d1fdb5b20eaca882e34ee510eb55941a242b24 50 + type commit 51 + tag v0 52 + tagger Jane Doe <jane.doe@example.com> 1709146405 +0100 53 + 54 + v0 55 + -----BEGIN SSH SIGNATURE----- 56 + U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgvD4pK7baygXxoWoVoKjVEc/xZh 57 + 6w+1FUn5hypFqJXNAAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 58 + AAAAQKFeTnxi9ssRqSg+sJcmjAgpgoPq1k5SXm306+mJmkPwvhim8f9Gz6uy1AddPmXaD7 59 + 5LVB3fV2GmmFDKGB+wCAo= 60 + -----END SSH SIGNATURE----- 61 + `), tag: Tag{ 62 + Name: "", 63 + ID: Sha1ObjectFormat.EmptyObjectID(), 64 + Object: &Sha1Hash{0xd8, 0xd1, 0xfd, 0xb5, 0xb2, 0x0e, 0xac, 0xa8, 0x82, 0xe3, 0x4e, 0xe5, 0x10, 0xeb, 0x55, 0x94, 0x1a, 0x24, 0x2b, 0x24}, 65 + Type: "commit", 66 + Tagger: &Signature{Name: "Jane Doe", Email: "jane.doe@example.com", When: time.Unix(1709146405, 0)}, 67 + Message: "v0\n", 68 + Signature: &ObjectSignature{ 69 + Signature: `-----BEGIN SSH SIGNATURE----- 70 + U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgvD4pK7baygXxoWoVoKjVEc/xZh 71 + 6w+1FUn5hypFqJXNAAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 72 + AAAAQKFeTnxi9ssRqSg+sJcmjAgpgoPq1k5SXm306+mJmkPwvhim8f9Gz6uy1AddPmXaD7 73 + 5LVB3fV2GmmFDKGB+wCAo= 74 + -----END SSH SIGNATURE-----`, 75 + Payload: `object d8d1fdb5b20eaca882e34ee510eb55941a242b24 76 + type commit 77 + tag v0 78 + tagger Jane Doe <jane.doe@example.com> 1709146405 +0100 79 + 80 + v0 81 + `, 82 + }, 83 + }}, 49 84 } 50 85 51 86 for _, test := range testData {

Configure Feed

Configure Feed