# Testing GPG Verification in Docker This guide explains how to test the GPG commit signature verification feature in a Docker environment. ## Prerequisites - Docker and Docker Compose installed - GPG installed on your host machine - Git configured on your host machine ## Step 1: Build and Start the Services ```bash # Build and start Gogs with PostgreSQL docker-compose -f docker-compose.test.yml up --build -d # Wait for services to be healthy (about 60 seconds) docker-compose -f docker-compose.test.yml ps # Check logs docker-compose -f docker-compose.test.yml logs -f gogs ``` ## Step 2: Complete Installation 1. Open your browser and navigate to: `http://localhost:10080` 2. Complete the installation wizard: - Database settings should be pre-filled (PostgreSQL) - Set admin username and password - Set Application URL to `http://localhost:10080/` - Set SSH Port to `10022` - Click "Install Gogs" ## Step 3: Generate API Token 1. Log in to Gogs with your admin account 2. Go to Settings → Applications 3. Generate a new API token 4. Save the token for later use ## Step 4: Prepare Your GPG Key ### Generate a GPG key (if you don't have one) ```bash gpg --full-generate-key ``` Follow the prompts: - Kind: (1) RSA and RSA - Key size: 4096 - Expiration: 0 (doesn't expire) - Enter your name and email (use the same email as in Gogs) ### Export your public key ```bash # List your keys gpg --list-secret-keys --keyid-format LONG # Export the public key (replace YOUR_KEY_ID) gpg --armor --export YOUR_KEY_ID > my-gpg-key.asc # View the key cat my-gpg-key.asc ``` ## Step 5: Add GPG Key to Gogs via API ```bash # Set your API token export GOGS_TOKEN="your_api_token_here" # Add the GPG key curl -X POST \ -H "Authorization: token $GOGS_TOKEN" \ -H "Content-Type: application/json" \ -d "{\"armored_public_key\": \"$(cat my-gpg-key.asc | sed ':a;N;$!ba;s/\n/\\n/g')\"}" \ http://localhost:10080/api/v1/user/gpg_keys # List your GPG keys curl -H "Authorization: token $GOGS_TOKEN" \ http://localhost:10080/api/v1/user/gpg_keys ``` Expected response: ```json [ { "id": 1, "key_id": "1234567890ABCDEF", "fingerprint": "ABCD1234567890ABCDEF1234567890ABCDEF1234", "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n...", "emails": ["your.email@example.com"], "can_sign": true, "can_encrypt_comms": true, "can_encrypt_storage": true, "can_certify": true, "created": "2025-11-01T22:00:00Z" } ] ``` ## Step 6: Configure Git for Signed Commits ```bash # Configure Git to use your GPG key git config --global user.signingkey YOUR_KEY_ID git config --global commit.gpgsign true # Verify configuration git config --global --get user.signingkey git config --global --get commit.gpgsign ``` ## Step 7: Create a Test Repository ```bash # Create a test repository via API curl -X POST \ -H "Authorization: token $GOGS_TOKEN" \ -H "Content-Type: application/json" \ -d '{"name":"gpg-test","description":"Testing GPG verification","private":false}' \ http://localhost:10080/api/v1/user/repos # Clone the repository git clone http://localhost:10080/your-username/gpg-test.git cd gpg-test ``` ## Step 8: Make Signed Commits ```bash # Create a file echo "# GPG Test" > README.md # Commit with GPG signature git add README.md git commit -m "Initial commit - signed with GPG" # Verify the signature locally git log --show-signature # Push to Gogs git push origin main ``` ## Step 9: Verify Signature via Database Access the Gogs container and test signature verification: ```bash # Access Gogs container docker exec -it gogs-test /bin/bash # Inside the container, use the gogs CLI or database query # (This is a manual verification step for testing) # Or use psql to check the database docker exec -it gogs-test-postgres psql -U gogs -d gogs -c "SELECT * FROM gpg_key;" ``` ## Step 10: Test API Endpoints ### List GPG Keys ```bash curl -H "Authorization: token $GOGS_TOKEN" \ http://localhost:10080/api/v1/user/gpg_keys | jq ``` ### Get Specific GPG Key ```bash curl -H "Authorization: token $GOGS_TOKEN" \ http://localhost:10080/api/v1/user/gpg_keys/1 | jq ``` ### Delete GPG Key ```bash curl -X DELETE \ -H "Authorization: token $GOGS_TOKEN" \ http://localhost:10080/api/v1/user/gpg_keys/1 ``` ## Troubleshooting ### Container won't start ```bash # Check logs docker-compose -f docker-compose.test.yml logs gogs docker-compose -f docker-compose.test.yml logs postgres # Restart services docker-compose -f docker-compose.test.yml restart ``` ### Database migration issues ```bash # Check database docker exec -it gogs-test-postgres psql -U gogs -d gogs -c "\dt" # Should see gpg_key table docker exec -it gogs-test-postgres psql -U gogs -d gogs -c "\d gpg_key" ``` ### GPG key not being accepted ```bash # Validate the key format gpg --show-keys my-gpg-key.asc # Check for proper armor format head -1 my-gpg-key.asc # Should be: -----BEGIN PGP PUBLIC KEY BLOCK----- tail -1 my-gpg-key.asc # Should be: -----END PGP PUBLIC KEY BLOCK----- ``` ### Git push authentication ```bash # Use your Gogs username and password (or token) git config credential.helper store git push origin main # Enter username and password when prompted ``` ## Cleanup ```bash # Stop and remove containers docker-compose -f docker-compose.test.yml down # Remove volumes (WARNING: deletes all data) docker-compose -f docker-compose.test.yml down -v # Remove test repository rm -rf gpg-test ``` ## Verification Checklist - [ ] Gogs container starts successfully - [ ] PostgreSQL database is accessible - [ ] Installation wizard completes - [ ] API token generated - [ ] GPG key added via API - [ ] GPG key visible in API response - [ ] Git configured for signing - [ ] Signed commit created - [ ] Commit pushed to Gogs - [ ] Signature extracted from commit - [ ] Database contains gpg_key entry ## Expected Database Schema The `gpg_key` table should have these columns: ```sql SELECT column_name, data_type FROM information_schema.columns WHERE table_name = 'gpg_key'; ``` Expected columns: - id (bigint) - owner_id (bigint) - key_id (varchar) - fingerprint (varchar) - content (text) - can_sign (boolean) - can_encrypt (boolean) - emails (text) - created_unix (bigint) - updated_unix (bigint) - expired_unix (bigint) ## Advanced Testing ### Test Signature Verification Programmatically Create a test script to verify commit signatures: ```bash # Inside the Gogs container docker exec -it gogs-test /bin/bash # Create a test Go file cat > /tmp/test_verify.go <<'EOF' package main import ( "context" "fmt" "gogs.io/gogs/internal/database" "gogs.io/gogs/internal/gpgutil" ) func main() { // This is a placeholder - actual implementation would need proper setup fmt.Println("Testing GPG verification...") commitContent := `tree abc123 parent def456 author John Doe 1234567890 +0000 committer John Doe 1234567890 +0000 gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE... -----END PGP SIGNATURE----- Initial commit ` signature, payload, hasSig := gpgutil.ExtractSignature(commitContent) fmt.Printf("Has signature: %v\n", hasSig) fmt.Printf("Signature length: %d\n", len(signature)) fmt.Printf("Payload length: %d\n", len(payload)) } EOF ``` ## Notes - The GPG verification backend is fully implemented - UI components are not yet implemented - verification can only be done via API/database - Future updates will add visual indicators in the web UI - Commit signature verification is automatic when GPG keys are configured