// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package asymkey
import (
"fmt"
"hash"
"strings"
"code.gitea.io/gitea/models/db"
repo_model "code.gitea.io/gitea/models/repo"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"github.com/keybase/go-crypto/openpgp/packet"
)
// __________________ ________ ____ __.
// / _____/\______ \/ _____/ | |/ _|____ ___.__.
// / \ ___ | ___/ \ ___ | <_/ __ < | |
// \ \_\ \| | \ \_\ \ | | \ ___/\___ |
// \______ /|____| \______ / |____|__ \___ > ____|
// \/ \/ \/ \/\/
// _________ .__ __
// \_ ___ \ ____ _____ _____ |__|/ |_
// / \ \/ / _ \ / \ / \| \ __\
// \ \___( <_> ) Y Y \ Y Y \ || |
// \______ /\____/|__|_| /__|_| /__||__|
// \/ \/ \/
// ____ ____ .__ _____.__ __ .__
// \ \ / /___________|__|/ ____\__| ____ _____ _/ |_|__| ____ ____
// \ Y // __ \_ __ \ \ __\| |/ ___\\__ \\ __\ |/ _ \ / \
// \ /\ ___/| | \/ || | | \ \___ / __ \| | | ( <_> ) | \
// \___/ \___ >__| |__||__| |__|\___ >____ /__| |__|\____/|___| /
// \/ \/ \/ \/
// This file provides functions relating commit verification
// CommitVerification represents a commit validation of signature
type CommitVerification struct {
Verified bool
Warning bool
Reason string
SigningUser * user_model . User
CommittingUser * user_model . User
SigningEmail string
SigningKey * GPGKey
SigningSSHKey * PublicKey
TrustStatus string
}
// SignCommit represents a commit with validation of signature.
type SignCommit struct {
Verification * CommitVerification
* user_model . UserCommit
}
const (
// BadSignature is used as the reason when the signature has a KeyID that is in the db
// but no key that has that ID verifies the signature. This is a suspicious failure.
BadSignature = "gpg.error.probable_bad_signature"
// BadDefaultSignature is used as the reason when the signature has a KeyID that matches the
// default Key but is not verified by the default key. This is a suspicious failure.
BadDefaultSignature = "gpg.error.probable_bad_default_signature"
// NoKeyFound is used as the reason when no key can be found to verify the signature.
NoKeyFound = "gpg.error.no_gpg_keys_found"
)
// ParseCommitsWithSignature checks if signaute of commits are corresponding to users gpg keys.
func ParseCommitsWithSignature ( oldCommits [ ] * user_model . UserCommit , repoTrustModel repo_model . TrustModelType , isOwnerMemberCollaborator func ( * user_model . User ) ( bool , error ) ) [ ] * SignCommit {
newCommits := make ( [ ] * SignCommit , 0 , len ( oldCommits ) )
keyMap := map [ string ] bool { }
for _ , c := range oldCommits {
signCommit := & SignCommit {
UserCommit : c ,
Verification : ParseCommitWithSignature ( c . Commit ) ,
}
_ = CalculateTrustStatus ( signCommit . Verification , repoTrustModel , isOwnerMemberCollaborator , & keyMap )
newCommits = append ( newCommits , signCommit )
}
return newCommits
}
// ParseCommitWithSignature check if signature is good against keystore.
func ParseCommitWithSignature ( c * git . Commit ) * CommitVerification {
var committer * user_model . User
if c . Committer != nil {
var err error
// Find Committer account
committer , err = user_model . GetUserByEmail ( c . Committer . Email ) // This finds the user by primary email or activated email so commit will not be valid if email is not
if err != nil { // Skipping not user for committer
committer = & user_model . User {
Name : c . Committer . Name ,
Email : c . Committer . Email ,
}
// We can expect this to often be an ErrUserNotExist. in the case
// it is not, however, it is important to log it.
if ! user_model . IsErrUserNotExist ( err ) {
log . Error ( "GetUserByEmail: %v" , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.no_committer_account" ,
}
}
}
}
// If no signature just report the committer
if c . Signature == nil {
return & CommitVerification {
CommittingUser : committer ,
Verified : false , // Default value
Reason : "gpg.error.not_signed_commit" , // Default value
}
}
// If this a SSH signature handle it differently
if strings . HasPrefix ( c . Signature . Signature , "-----BEGIN SSH SIGNATURE-----" ) {
return ParseCommitWithSSHSignature ( c , committer )
}
// Parsing signature
sig , err := extractSignature ( c . Signature . Signature )
if err != nil { // Skipping failed to extract sign
log . Error ( "SignatureRead err: %v" , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.extract_sign" ,
}
}
keyID := ""
if sig . IssuerKeyId != nil && ( * sig . IssuerKeyId ) != 0 {
keyID = fmt . Sprintf ( "%X" , * sig . IssuerKeyId )
}
if keyID == "" && sig . IssuerFingerprint != nil && len ( sig . IssuerFingerprint ) > 0 {
keyID = fmt . Sprintf ( "%X" , sig . IssuerFingerprint [ 12 : 20 ] )
}
defaultReason := NoKeyFound
// First check if the sig has a keyID and if so just look at that
if commitVerification := hashAndVerifyForKeyID (
sig ,
c . Signature . Payload ,
committer ,
keyID ,
setting . AppName ,
"" ) ; commitVerification != nil {
if commitVerification . Reason == BadSignature {
defaultReason = BadSignature
} else {
return commitVerification
}
}
// Now try to associate the signature with the committer, if present
if committer . ID != 0 {
keys , err := ListGPGKeys ( db . DefaultContext , committer . ID , db . ListOptions { } )
if err != nil { // Skipping failed to get gpg keys of user
log . Error ( "ListGPGKeys: %v" , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.failed_retrieval_gpg_keys" ,
}
}
committerEmailAddresses , _ := user_model . GetEmailAddresses ( committer . ID )
activated := false
for _ , e := range committerEmailAddresses {
if e . IsActivated && strings . EqualFold ( e . Email , c . Committer . Email ) {
activated = true
break
}
}
for _ , k := range keys {
// Pre-check (& optimization) that emails attached to key can be attached to the committer email and can validate
canValidate := false
email := ""
if k . Verified && activated {
canValidate = true
email = c . Committer . Email
}
if ! canValidate {
for _ , e := range k . Emails {
if e . IsActivated && strings . EqualFold ( e . Email , c . Committer . Email ) {
canValidate = true
email = e . Email
break
}
}
}
if ! canValidate {
continue // Skip this key
}
commitVerification := hashAndVerifyWithSubKeysCommitVerification ( sig , c . Signature . Payload , k , committer , committer , email )
if commitVerification != nil {
return commitVerification
}
}
}
if setting . Repository . Signing . SigningKey != "" && setting . Repository . Signing . SigningKey != "default" && setting . Repository . Signing . SigningKey != "none" {
// OK we should try the default key
gpgSettings := git . GPGSettings {
Sign : true ,
KeyID : setting . Repository . Signing . SigningKey ,
Name : setting . Repository . Signing . SigningName ,
Email : setting . Repository . Signing . SigningEmail ,
}
if err := gpgSettings . LoadPublicKeyContent ( ) ; err != nil {
log . Error ( "Error getting default signing key: %s %v" , gpgSettings . KeyID , err )
} else if commitVerification := verifyWithGPGSettings ( & gpgSettings , sig , c . Signature . Payload , committer , keyID ) ; commitVerification != nil {
if commitVerification . Reason == BadSignature {
defaultReason = BadSignature
} else {
return commitVerification
}
}
}
defaultGPGSettings , err := c . GetRepositoryDefaultPublicGPGKey ( false )
if err != nil {
log . Error ( "Error getting default public gpg key: %v" , err )
} else if defaultGPGSettings == nil {
log . Warn ( "Unable to get defaultGPGSettings for unattached commit: %s" , c . ID . String ( ) )
} else if defaultGPGSettings . Sign {
if commitVerification := verifyWithGPGSettings ( defaultGPGSettings , sig , c . Signature . Payload , committer , keyID ) ; commitVerification != nil {
if commitVerification . Reason == BadSignature {
defaultReason = BadSignature
} else {
return commitVerification
}
}
}
return & CommitVerification { // Default at this stage
CommittingUser : committer ,
Verified : false ,
Warning : defaultReason != NoKeyFound ,
Reason : defaultReason ,
SigningKey : & GPGKey {
KeyID : keyID ,
} ,
}
}
func verifyWithGPGSettings ( gpgSettings * git . GPGSettings , sig * packet . Signature , payload string , committer * user_model . User , keyID string ) * CommitVerification {
// First try to find the key in the db
if commitVerification := hashAndVerifyForKeyID ( sig , payload , committer , gpgSettings . KeyID , gpgSettings . Name , gpgSettings . Email ) ; commitVerification != nil {
return commitVerification
}
// Otherwise we have to parse the key
ekeys , err := checkArmoredGPGKeyString ( gpgSettings . PublicKeyContent )
if err != nil {
log . Error ( "Unable to get default signing key: %v" , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.generate_hash" ,
}
}
for _ , ekey := range ekeys {
pubkey := ekey . PrimaryKey
content , err := base64EncPubKey ( pubkey )
if err != nil {
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.generate_hash" ,
}
}
k := & GPGKey {
Content : content ,
CanSign : pubkey . CanSign ( ) ,
KeyID : pubkey . KeyIdString ( ) ,
}
for _ , subKey := range ekey . Subkeys {
content , err := base64EncPubKey ( subKey . PublicKey )
if err != nil {
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.generate_hash" ,
}
}
k . SubsKey = append ( k . SubsKey , & GPGKey {
Content : content ,
CanSign : subKey . PublicKey . CanSign ( ) ,
KeyID : subKey . PublicKey . KeyIdString ( ) ,
} )
}
if commitVerification := hashAndVerifyWithSubKeysCommitVerification ( sig , payload , k , committer , & user_model . User {
Name : gpgSettings . Name ,
Email : gpgSettings . Email ,
} , gpgSettings . Email ) ; commitVerification != nil {
return commitVerification
}
if keyID == k . KeyID {
// This is a bad situation ... We have a key id that matches our default key but the signature doesn't match.
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Warning : true ,
Reason : BadSignature ,
}
}
}
return nil
}
func verifySign ( s * packet . Signature , h hash . Hash , k * GPGKey ) error {
// Check if key can sign
if ! k . CanSign {
return fmt . Errorf ( "key can not sign" )
}
// Decode key
pkey , err := base64DecPubKey ( k . Content )
if err != nil {
return err
}
return pkey . VerifySignature ( h , s )
}
func hashAndVerify ( sig * packet . Signature , payload string , k * GPGKey ) ( * GPGKey , error ) {
// Generating hash of commit
hash , err := populateHash ( sig . Hash , [ ] byte ( payload ) )
if err != nil { // Skipping as failed to generate hash
log . Error ( "PopulateHash: %v" , err )
return nil , err
}
// We will ignore errors in verification as they don't need to be propagated up
err = verifySign ( sig , hash , k )
if err != nil {
return nil , nil
}
return k , nil
}
func hashAndVerifyWithSubKeys ( sig * packet . Signature , payload string , k * GPGKey ) ( * GPGKey , error ) {
verified , err := hashAndVerify ( sig , payload , k )
if err != nil || verified != nil {
return verified , err
}
for _ , sk := range k . SubsKey {
verified , err := hashAndVerify ( sig , payload , sk )
if err != nil || verified != nil {
return verified , err
}
}
return nil , nil
}
func hashAndVerifyWithSubKeysCommitVerification ( sig * packet . Signature , payload string , k * GPGKey , committer , signer * user_model . User , email string ) * CommitVerification {
key , err := hashAndVerifyWithSubKeys ( sig , payload , k )
if err != nil { // Skipping failed to generate hash
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.generate_hash" ,
}
}
if key != nil {
return & CommitVerification { // Everything is ok
CommittingUser : committer ,
Verified : true ,
Reason : fmt . Sprintf ( "%s / %s" , signer . Name , key . KeyID ) ,
SigningUser : signer ,
SigningKey : key ,
SigningEmail : email ,
}
}
return nil
}
func hashAndVerifyForKeyID ( sig * packet . Signature , payload string , committer * user_model . User , keyID , name , email string ) * CommitVerification {
if keyID == "" {
return nil
}
keys , err := GetGPGKeysByKeyID ( keyID )
if err != nil {
log . Error ( "GetGPGKeysByKeyID: %v" , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.failed_retrieval_gpg_keys" ,
}
}
if len ( keys ) == 0 {
return nil
}
for _ , key := range keys {
var primaryKeys [ ] * GPGKey
if key . PrimaryKeyID != "" {
primaryKeys , err = GetGPGKeysByKeyID ( key . PrimaryKeyID )
if err != nil {
log . Error ( "GetGPGKeysByKeyID: %v" , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.failed_retrieval_gpg_keys" ,
}
}
}
activated , email := checkKeyEmails ( email , append ( [ ] * GPGKey { key } , primaryKeys ... ) ... )
if ! activated {
continue
}
signer := & user_model . User {
Name : name ,
Email : email ,
}
if key . OwnerID != 0 {
owner , err := user_model . GetUserByID ( db . DefaultContext , key . OwnerID )
if err == nil {
signer = owner
} else if ! user_model . IsErrUserNotExist ( err ) {
log . Error ( "Failed to user_model.GetUserByID: %d for key ID: %d (%s) %v" , key . OwnerID , key . ID , key . KeyID , err )
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Reason : "gpg.error.no_committer_account" ,
}
}
}
commitVerification := hashAndVerifyWithSubKeysCommitVerification ( sig , payload , key , committer , signer , email )
if commitVerification != nil {
return commitVerification
}
}
// This is a bad situation ... We have a key id that is in our database but the signature doesn't match.
return & CommitVerification {
CommittingUser : committer ,
Verified : false ,
Warning : true ,
Reason : BadSignature ,
}
}
// CalculateTrustStatus will calculate the TrustStatus for a commit verification within a repository
// There are several trust models in Gitea
func CalculateTrustStatus ( verification * CommitVerification , repoTrustModel repo_model . TrustModelType , isOwnerMemberCollaborator func ( * user_model . User ) ( bool , error ) , keyMap * map [ string ] bool ) ( err error ) {
if ! verification . Verified {
return
}
// In the Committer trust model a signature is trusted if it matches the committer
// - it doesn't matter if they're a collaborator, the owner, Gitea or Github
// NB: This model is commit verification only
if repoTrustModel == repo_model . CommitterTrustModel {
// default to "unmatched"
verification . TrustStatus = "unmatched"
// We can only verify against users in our database but the default key will match
// against by email if it is not in the db.
if ( verification . SigningUser . ID != 0 &&
verification . CommittingUser . ID == verification . SigningUser . ID ) ||
( verification . SigningUser . ID == 0 && verification . CommittingUser . ID == 0 &&
verification . SigningUser . Email == verification . CommittingUser . Email ) {
verification . TrustStatus = "trusted"
}
return
}
// Now we drop to the more nuanced trust models...
verification . TrustStatus = "trusted"
if verification . SigningUser . ID == 0 {
// This commit is signed by the default key - but this key is not assigned to a user in the DB.
// However in the repo_model.CollaboratorCommitterTrustModel we cannot mark this as trusted
// unless the default key matches the email of a non-user.
if repoTrustModel == repo_model . CollaboratorCommitterTrustModel && ( verification . CommittingUser . ID != 0 ||
verification . SigningUser . Email != verification . CommittingUser . Email ) {
verification . TrustStatus = "untrusted"
}
return
}
// Check we actually have a GPG SigningKey
if verification . SigningKey != nil {
var isMember bool
if keyMap != nil {
var has bool
isMember , has = ( * keyMap ) [ verification . SigningKey . KeyID ]
if ! has {
isMember , err = isOwnerMemberCollaborator ( verification . SigningUser )
( * keyMap ) [ verification . SigningKey . KeyID ] = isMember
}
} else {
isMember , err = isOwnerMemberCollaborator ( verification . SigningUser )
}
if ! isMember {
verification . TrustStatus = "untrusted"
if verification . CommittingUser . ID != verification . SigningUser . ID {
// The committing user and the signing user are not the same
// This should be marked as questionable unless the signing user is a collaborator/team member etc.
verification . TrustStatus = "unmatched"
}
} else if repoTrustModel == repo_model . CollaboratorCommitterTrustModel && verification . CommittingUser . ID != verification . SigningUser . ID {
// The committing user and the signing user are not the same and our trustmodel states that they must match
verification . TrustStatus = "unmatched"
}
}
return err
}