feat(sec): Add SSH signing support for instances (#6897)

- Add support to set `gpg.format` in the Git config, via the new `[repository.signing].FORMAT` option. This is to tell Git that the instance would like to use SSH instead of OpenPGP to sign its commits. This is guarded behind a Git version check for v2.34.0 and a check that a `ssh-keygen` binary is present.
- Add support to recognize the public SSH key that is given to `[repository.signing].SIGNING_KEY` as the signing key by the instance.
- Thus this allows the instance to use SSH commit signing for commits that the instance creates (e.g. initial and squash commits) instead of using PGP.
- Technically (although I have no clue how as this is not documented) you can have a different PGP signing key for different repositories; this is not implemented for SSH signing.
- Add unit and integration testing.
  - `TestInstanceSigning` was reworked from `TestGPGGit`, now also includes testing for SHA256 repositories. Is the main integration test that actually signs commits and checks that they are marked as verified by Forgejo.
  - `TestParseCommitWithSSHSignature` is a unit test that makes sure that if a SSH instnace signing key is set, that it is used to possibly verify instance SSH signed commits.
  - `TestSyncConfigGPGFormat` is a unit test that makes sure the correct git config is set according to the signing format setting. Also checks that the guarded git version check and ssh-keygen binary presence check is done correctly.
  - `TestSSHInstanceKey` is a unit test that makes sure the parsing of a SSH signing key is done correctly.
  - `TestAPISSHSigningKey` is a integration test that makes sure the newly added API route `/api/v1/signing-key.ssh` responds correctly.

Documentation PR: forgejo/docs#1122

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6897
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>

models/asymkey/gpg_key_object_verification.go

@@ -201,7 +201,7 @@ func ParseObjectWithSignature(ctx context.Context, c *GitObject) *ObjectVerifica
 		}
 	}
 
-	if setting.Repository.Signing.SigningKey != "" && setting.Repository.Signing.SigningKey != "default" && setting.Repository.Signing.SigningKey != "none" {
+	if setting.Repository.Signing.Format == "openpgp" && setting.Repository.Signing.SigningKey != "" && setting.Repository.Signing.SigningKey != "default" && setting.Repository.Signing.SigningKey != "none" {
 		// OK we should try the default key
 		gpgSettings := git.GPGSettings{
 			Sign:  true,

models/asymkey/ssh_key_object_verification.go

@@ -12,8 +12,10 @@ import (
 	"forgejo.org/models/db"
 	user_model "forgejo.org/models/user"
 	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"
 
 	"github.com/42wim/sshsig"
+	"golang.org/x/crypto/ssh"
 )
 
 // ParseObjectWithSSHSignature check if signature is good against keystore.
@@ -62,6 +64,22 @@ func ParseObjectWithSSHSignature(ctx context.Context, c *GitObject, committer *u
 		}
 	}
 
+	// If the SSH instance key is set, try to verify it with that key.
+	if setting.SSHInstanceKey != nil {
+		instanceSSHKey := &PublicKey{
+			Content:     string(ssh.MarshalAuthorizedKey(setting.SSHInstanceKey)),
+			Fingerprint: ssh.FingerprintSHA256(setting.SSHInstanceKey),
+		}
+		instanceUser := &user_model.User{
+			Name:  setting.Repository.Signing.SigningName,
+			Email: setting.Repository.Signing.SigningEmail,
+		}
+		commitVerification := verifySSHObjectVerification(c.Signature.Signature, c.Signature.Payload, instanceSSHKey, committer, instanceUser, setting.Repository.Signing.SigningEmail)
+		if commitVerification != nil {
+			return commitVerification
+		}
+	}
+
 	return &ObjectVerification{
 		CommittingUser: committer,
 		Verified:       false,

models/asymkey/ssh_key_object_verification_test.go

@@ -4,6 +4,7 @@
 package asymkey
 
 import (
+	"os"
 	"testing"
 
 	"forgejo.org/models/db"
@@ -15,6 +16,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
 )
 
 func TestParseCommitWithSSHSignature(t *testing.T) {
@@ -150,4 +152,43 @@ muPLbvEduU+Ze/1Ol1pgk=
 		assert.Equal(t, "user2 / SHA256:TKfwbZMR7e9OnlV2l1prfah1TXH8CmqR0PvFEXVCXA4", commitVerification.Reason)
 		assert.Equal(t, sshKey, commitVerification.SigningSSHKey)
 	})
+
+	t.Run("Instance key", func(t *testing.T) {
+		pubKeyContent, err := os.ReadFile("../../tests/integration/ssh-signing-key.pub")
+		require.NoError(t, err)
+		pubKey, _, _, _, err := ssh.ParseAuthorizedKey(pubKeyContent)
+		require.NoError(t, err)
+
+		defer test.MockVariableValue(&setting.Repository.Signing.SigningName, "UwU")()
+		defer test.MockVariableValue(&setting.Repository.Signing.SigningEmail, "fox@example.com")()
+		defer test.MockVariableValue(&setting.SSHInstanceKey, pubKey)()
+
+		gitCommit := &git.Commit{
+			Committer: &git.Signature{
+				Email: "fox@example.com",
+			},
+			Signature: &git.ObjectSignature{
+				Payload: `tree f96f1a4f1a51dc42e2983592f503980b60b8849c
+parent 93f84db542dd8c6e952c8130bc2fcbe2e299b8b4
+author OwO <instance@example.com> 1738961379 +0100
+committer UwU <fox@example.com> 1738961379 +0100
+
+Fox
+`,
+				Signature: `-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgV5ELwZ8XJe2LLR/UTuEu/vsFdb
+t7ry0W8hyzz/b1iocAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
+AAAAQCnyMRkWVVNoZxZkvi/ZoknUhs4LNBmEwZs9e9214WIt+mhKfc6BiHoE2qeluR2McD
+Y5RzHnA8Ke9wXddEePCQE=
+-----END SSH SIGNATURE-----
+`,
+			},
+		}
+
+		o := commitToGitObject(gitCommit)
+		commitVerification := ParseObjectWithSSHSignature(db.DefaultContext, &o, user2)
+		assert.True(t, commitVerification.Verified)
+		assert.Equal(t, "UwU / SHA256:QttK41r/zMUeAW71b5UgVSb8xGFF/DlZJ6TyADW+uoI", commitVerification.Reason)
+		assert.Equal(t, "SHA256:QttK41r/zMUeAW71b5UgVSb8xGFF/DlZJ6TyADW+uoI", commitVerification.SigningSSHKey.Fingerprint)
+	})
 }