feat(sec): Add SSH signing support for instances (#6897)

- Add support to set `gpg.format` in the Git config, via the new `[repository.signing].FORMAT` option. This is to tell Git that the instance would like to use SSH instead of OpenPGP to sign its commits. This is guarded behind a Git version check for v2.34.0 and a check that a `ssh-keygen` binary is present.
- Add support to recognize the public SSH key that is given to `[repository.signing].SIGNING_KEY` as the signing key by the instance.
- Thus this allows the instance to use SSH commit signing for commits that the instance creates (e.g. initial and squash commits) instead of using PGP.
- Technically (although I have no clue how as this is not documented) you can have a different PGP signing key for different repositories; this is not implemented for SSH signing.
- Add unit and integration testing.
  - `TestInstanceSigning` was reworked from `TestGPGGit`, now also includes testing for SHA256 repositories. Is the main integration test that actually signs commits and checks that they are marked as verified by Forgejo.
  - `TestParseCommitWithSSHSignature` is a unit test that makes sure that if a SSH instnace signing key is set, that it is used to possibly verify instance SSH signed commits.
  - `TestSyncConfigGPGFormat` is a unit test that makes sure the correct git config is set according to the signing format setting. Also checks that the guarded git version check and ssh-keygen binary presence check is done correctly.
  - `TestSSHInstanceKey` is a unit test that makes sure the parsing of a SSH signing key is done correctly.
  - `TestAPISSHSigningKey` is a integration test that makes sure the newly added API route `/api/v1/signing-key.ssh` responds correctly.

Documentation PR: forgejo/docs#1122

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6897
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>

modules/git/git.go

@@ -278,6 +278,49 @@ func syncGitConfig() (err error) {
 		return err
 	}
 
+	switch setting.Repository.Signing.Format {
+	case "ssh":
+		// First do a git version check.
+		if CheckGitVersionAtLeast("2.34.0") != nil {
+			return errors.New("ssh signing requires Git >= 2.34.0")
+		}
+
+		// Get the ssh-keygen binary that Git will use.
+		// This can be overriden in app.ini in [git.config] section, so we must
+		// query this information.
+		sshKeygenPath, err := configGet("gpg.ssh.program")
+		if err != nil {
+			return err
+		}
+		// git is very stubborn and does not give a default value, so we must do
+		// this ourselves.
+		if len(sshKeygenPath) == 0 {
+			// Default value of git, very unlikely to change.
+			// https://github.com/git/git/blob/5b97a56fa0e7d580dc8865b73107407c9b3f0eff/gpg-interface.c#L116
+			sshKeygenPath = "ssh-keygen"
+		}
+
+		// Although there's a version requirement of 8.2p1, there's no cross-version
+		// method to get the version of ssh-keygen. Therefore we do a simple binary
+		// presence check and hope for the best.
+		if _, err := exec.LookPath(sshKeygenPath); err != nil {
+			if errors.Is(err, exec.ErrNotFound) {
+				return errors.New("git signing requires a ssh-keygen binary")
+			}
+			return err
+		}
+
+		if err := configSet("gpg.format", "ssh"); err != nil {
+			return err
+		}
+		// openpgp is already the default value, so in the case of a non SSH format
+		// set the value to openpgp.
+	default:
+		if err := configSet("gpg.format", "openpgp"); err != nil {
+			return err
+		}
+	}
+
 	// By default partial clones are disabled, enable them from git v2.22
 	if !setting.Git.DisablePartialClone && CheckGitVersionAtLeast("2.22") == nil {
 		if err = configSet("uploadpack.allowfilter", "true"); err != nil {
@@ -324,6 +367,15 @@ func CheckGitVersionEqual(equal string) error {
 	return nil
 }
 
+func configGet(key string) (string, error) {
+	stdout, _, err := NewCommand(DefaultContext, "config", "--global", "--get").AddDynamicArguments(key).RunStdString(nil)
+	if err != nil && !IsErrorExitCode(err, 1) {
+		return "", fmt.Errorf("failed to get git config %s, err: %w", key, err)
+	}
+
+	return strings.TrimSpace(stdout), nil
+}
+
 func configSet(key, value string) error {
 	stdout, _, err := NewCommand(DefaultContext, "config", "--global", "--get").AddDynamicArguments(key).RunStdString(nil)
 	if err != nil && !IsErrorExitCode(err, 1) {

modules/git/git_test.go

@@ -11,8 +11,10 @@ import (
 	"testing"
 
 	"forgejo.org/modules/setting"
+	"forgejo.org/modules/test"
 	"forgejo.org/modules/util"
 
+	"github.com/hashicorp/go-version"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -94,3 +96,57 @@ func TestSyncConfig(t *testing.T) {
 	assert.True(t, gitConfigContains("[sync-test]"))
 	assert.True(t, gitConfigContains("cfg-key-a = CfgValA"))
 }
+
+func TestSyncConfigGPGFormat(t *testing.T) {
+	defer test.MockProtect(&setting.GitConfig)()
+
+	t.Run("No format", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Repository.Signing.Format, "")()
+		require.NoError(t, syncGitConfig())
+		assert.True(t, gitConfigContains("[gpg]"))
+		assert.True(t, gitConfigContains("format = openpgp"))
+	})
+
+	t.Run("SSH format", func(t *testing.T) {
+		r, err := os.OpenRoot(t.TempDir())
+		require.NoError(t, err)
+		f, err := r.OpenFile("ssh-keygen", os.O_CREATE|os.O_TRUNC, 0o700)
+		require.NoError(t, f.Close())
+		require.NoError(t, err)
+		t.Setenv("PATH", r.Name())
+		defer test.MockVariableValue(&setting.Repository.Signing.Format, "ssh")()
+
+		require.NoError(t, syncGitConfig())
+		assert.True(t, gitConfigContains("[gpg]"))
+		assert.True(t, gitConfigContains("format = ssh"))
+
+		t.Run("Old version", func(t *testing.T) {
+			oldVersion, err := version.NewVersion("2.33.0")
+			require.NoError(t, err)
+			defer test.MockVariableValue(&gitVersion, oldVersion)()
+			require.ErrorContains(t, syncGitConfig(), "ssh signing requires Git >= 2.34.0")
+		})
+
+		t.Run("No ssh-keygen binary", func(t *testing.T) {
+			require.NoError(t, r.Remove("ssh-keygen"))
+			require.ErrorContains(t, syncGitConfig(), "git signing requires a ssh-keygen binary")
+		})
+
+		t.Run("Dynamic ssh-keygen binary location", func(t *testing.T) {
+			f, err := r.OpenFile("ssh-keygen-2", os.O_CREATE|os.O_TRUNC, 0o700)
+			require.NoError(t, f.Close())
+			require.NoError(t, err)
+			defer test.MockVariableValue(&setting.GitConfig.Options, map[string]string{
+				"gpg.ssh.program": "ssh-keygen-2",
+			})()
+			require.NoError(t, syncGitConfig())
+		})
+	})
+
+	t.Run("OpenPGP format", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.Repository.Signing.Format, "openpgp")()
+		require.NoError(t, syncGitConfig())
+		assert.True(t, gitConfigContains("[gpg]"))
+		assert.True(t, gitConfigContains("format = openpgp"))
+	})
+}

modules/setting/repository.go

@@ -4,12 +4,15 @@
 package setting
 
 import (
+	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"strings"
 
 	"forgejo.org/modules/log"
+
+	"golang.org/x/crypto/ssh"
 )
 
 // enumerates all the policy repository creating
@@ -26,6 +29,8 @@ var MaxUserCardsPerPage = 36
 // MaxForksPerPage sets maximum amount of forks shown per page
 var MaxForksPerPage = 40
 
+var SSHInstanceKey ssh.PublicKey
+
 // Repository settings
 var (
 	Repository = struct {
@@ -109,6 +114,7 @@ var (
 			SigningKey        string
 			SigningName       string
 			SigningEmail      string
+			Format            string
 			InitialCommit     []string
 			CRUDActions       []string `ini:"CRUD_ACTIONS"`
 			Merges            []string
@@ -262,6 +268,7 @@ var (
 			SigningKey        string
 			SigningName       string
 			SigningEmail      string
+			Format            string
 			InitialCommit     []string
 			CRUDActions       []string `ini:"CRUD_ACTIONS"`
 			Merges            []string
@@ -271,6 +278,7 @@ var (
 			SigningKey:        "default",
 			SigningName:       "",
 			SigningEmail:      "",
+			Format:            "openpgp",
 			InitialCommit:     []string{"always"},
 			CRUDActions:       []string{"pubkey", "twofa", "parentsigned"},
 			Merges:            []string{"pubkey", "twofa", "basesigned", "commitssigned"},
@@ -376,4 +384,15 @@ func loadRepositoryFrom(rootCfg ConfigProvider) {
 		log.Fatal("loadRepoArchiveFrom: %v", err)
 	}
 	Repository.EnableFlags = sec.Key("ENABLE_FLAGS").MustBool()
+
+	if Repository.Signing.Format == "ssh" && Repository.Signing.SigningKey != "none" && Repository.Signing.SigningKey != "" {
+		sshPublicKey, err := os.ReadFile(Repository.Signing.SigningKey)
+		if err != nil {
+			log.Fatal("Could not read repository signing key in %q: %v", Repository.Signing.SigningKey, err)
+		}
+		SSHInstanceKey, _, _, _, err = ssh.ParseAuthorizedKey(sshPublicKey)
+		if err != nil {
+			log.Fatal("Could not parse the SSH signing key %q: %v", sshPublicKey, err)
+		}
+	}
 }

modules/setting/repository_test.go

@@ -0,0 +1,59 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package setting
+
+import (
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
+)
+
+func TestSSHInstanceKey(t *testing.T) {
+	sshSigningKeyPath, err := filepath.Abs("../../tests/integration/ssh-signing-key.pub")
+	require.NoError(t, err)
+
+	t.Run("None value", func(t *testing.T) {
+		cfg, err := NewConfigProviderFromData(`
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = none
+`)
+		require.NoError(t, err)
+
+		loadRepositoryFrom(cfg)
+
+		assert.Nil(t, SSHInstanceKey)
+	})
+
+	t.Run("No value", func(t *testing.T) {
+		cfg, err := NewConfigProviderFromData(`
+[repository.signing]
+FORMAT = ssh
+`)
+		require.NoError(t, err)
+
+		loadRepositoryFrom(cfg)
+
+		assert.Nil(t, SSHInstanceKey)
+	})
+	t.Run("Normal", func(t *testing.T) {
+		iniStr := fmt.Sprintf(`
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = %s
+`, sshSigningKeyPath)
+		cfg, err := NewConfigProviderFromData(iniStr)
+		require.NoError(t, err)
+
+		loadRepositoryFrom(cfg)
+
+		assert.NotNil(t, SSHInstanceKey)
+		assert.Equal(t, "ssh-ed25519", SSHInstanceKey.Type())
+		assert.EqualValues(t, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFeRC8GfFyXtiy0f1E7hLv77BXW7e68tFvIcs8/29YqH\n", ssh.MarshalAuthorizedKey(SSHInstanceKey))
+	})
+}