gogs/TEST_GPG_VERIFICATION.md

Testing GPG Verification in Docker

This guide explains how to test the GPG commit signature verification feature in a Docker environment.

Prerequisites

• Docker and Docker Compose installed
• GPG installed on your host machine
• Git configured on your host machine

Step 1: Build and Start the Services

# Build and start Gogs with PostgreSQL
docker-compose -f docker-compose.test.yml up --build -d

# Wait for services to be healthy (about 60 seconds)
docker-compose -f docker-compose.test.yml ps

# Check logs
docker-compose -f docker-compose.test.yml logs -f gogs

Step 2: Complete Installation

1. Open your browser and navigate to: http://localhost:10080
2. Complete the installation wizard:
   • Database settings should be pre-filled (PostgreSQL)
   • Set admin username and password
   • Set Application URL to http://localhost:10080/
   • Set SSH Port to 10022
   • Click "Install Gogs"

Step 3: Generate API Token

1. Log in to Gogs with your admin account
2. Go to Settings → Applications
3. Generate a new API token
4. Save the token for later use

Step 4: Prepare Your GPG Key

Generate a GPG key (if you don't have one)

gpg --full-generate-key

Follow the prompts:

• Kind: (1) RSA and RSA
• Key size: 4096
• Expiration: 0 (doesn't expire)
• Enter your name and email (use the same email as in Gogs)

Export your public key

# List your keys
gpg --list-secret-keys --keyid-format LONG

# Export the public key (replace YOUR_KEY_ID)
gpg --armor --export YOUR_KEY_ID > my-gpg-key.asc

# View the key
cat my-gpg-key.asc

Step 5: Add GPG Key to Gogs via API

# Set your API token
export GOGS_TOKEN="your_api_token_here"

# Add the GPG key
curl -X POST \
  -H "Authorization: token $GOGS_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"armored_public_key\": \"$(cat my-gpg-key.asc | sed ':a;N;$!ba;s/\n/\\n/g')\"}" \
  http://localhost:10080/api/v1/user/gpg_keys

# List your GPG keys
curl -H "Authorization: token $GOGS_TOKEN" \
  http://localhost:10080/api/v1/user/gpg_keys

Expected response:

[
  {
    "id": 1,
    "key_id": "1234567890ABCDEF",
    "fingerprint": "ABCD1234567890ABCDEF1234567890ABCDEF1234",
    "public_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n...",
    "emails": ["your.email@example.com"],
    "can_sign": true,
    "can_encrypt_comms": true,
    "can_encrypt_storage": true,
    "can_certify": true,
    "created": "2025-11-01T22:00:00Z"
  }
]

Step 6: Configure Git for Signed Commits

# Configure Git to use your GPG key
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

# Verify configuration
git config --global --get user.signingkey
git config --global --get commit.gpgsign

Step 7: Create a Test Repository

# Create a test repository via API
curl -X POST \
  -H "Authorization: token $GOGS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"gpg-test","description":"Testing GPG verification","private":false}' \
  http://localhost:10080/api/v1/user/repos

# Clone the repository
git clone http://localhost:10080/your-username/gpg-test.git
cd gpg-test

Step 8: Make Signed Commits

# Create a file
echo "# GPG Test" > README.md

# Commit with GPG signature
git add README.md
git commit -m "Initial commit - signed with GPG"

# Verify the signature locally
git log --show-signature

# Push to Gogs
git push origin main

Step 9: Verify Signature via Database

Access the Gogs container and test signature verification:

# Access Gogs container
docker exec -it gogs-test /bin/bash

# Inside the container, use the gogs CLI or database query
# (This is a manual verification step for testing)

# Or use psql to check the database
docker exec -it gogs-test-postgres psql -U gogs -d gogs -c "SELECT * FROM gpg_key;"

Step 10: Test API Endpoints

List GPG Keys

curl -H "Authorization: token $GOGS_TOKEN" \
  http://localhost:10080/api/v1/user/gpg_keys | jq

Get Specific GPG Key

curl -H "Authorization: token $GOGS_TOKEN" \
  http://localhost:10080/api/v1/user/gpg_keys/1 | jq

Delete GPG Key

curl -X DELETE \
  -H "Authorization: token $GOGS_TOKEN" \
  http://localhost:10080/api/v1/user/gpg_keys/1

Troubleshooting

Container won't start

# Check logs
docker-compose -f docker-compose.test.yml logs gogs
docker-compose -f docker-compose.test.yml logs postgres

# Restart services
docker-compose -f docker-compose.test.yml restart

Database migration issues

# Check database
docker exec -it gogs-test-postgres psql -U gogs -d gogs -c "\dt"

# Should see gpg_key table
docker exec -it gogs-test-postgres psql -U gogs -d gogs -c "\d gpg_key"

GPG key not being accepted

# Validate the key format
gpg --show-keys my-gpg-key.asc

# Check for proper armor format
head -1 my-gpg-key.asc  # Should be: -----BEGIN PGP PUBLIC KEY BLOCK-----
tail -1 my-gpg-key.asc  # Should be: -----END PGP PUBLIC KEY BLOCK-----

Git push authentication

# Use your Gogs username and password (or token)
git config credential.helper store
git push origin main
# Enter username and password when prompted

Cleanup

# Stop and remove containers
docker-compose -f docker-compose.test.yml down

# Remove volumes (WARNING: deletes all data)
docker-compose -f docker-compose.test.yml down -v

# Remove test repository
rm -rf gpg-test

Verification Checklist

• Gogs container starts successfully
• PostgreSQL database is accessible
• Installation wizard completes
• API token generated
• GPG key added via API
• GPG key visible in API response
• Git configured for signing
• Signed commit created
• Commit pushed to Gogs
• Signature extracted from commit
• Database contains gpg_key entry

Expected Database Schema

The gpg_key table should have these columns:

SELECT column_name, data_type
FROM information_schema.columns
WHERE table_name = 'gpg_key';

Expected columns:

• id (bigint)
• owner_id (bigint)
• key_id (varchar)
• fingerprint (varchar)
• content (text)
• can_sign (boolean)
• can_encrypt (boolean)
• emails (text)
• created_unix (bigint)
• updated_unix (bigint)
• expired_unix (bigint)

Advanced Testing

Test Signature Verification Programmatically

Create a test script to verify commit signatures:

# Inside the Gogs container
docker exec -it gogs-test /bin/bash

# Create a test Go file
cat > /tmp/test_verify.go <<'EOF'
package main

import (
    "context"
    "fmt"
    "gogs.io/gogs/internal/database"
    "gogs.io/gogs/internal/gpgutil"
)

func main() {
    // This is a placeholder - actual implementation would need proper setup
    fmt.Println("Testing GPG verification...")

    commitContent := `tree abc123
parent def456
author John Doe <john@example.com> 1234567890 +0000
committer John Doe <john@example.com> 1234567890 +0000
gpgsig -----BEGIN PGP SIGNATURE-----

 iQIzBAABCAAdFiEE...
 -----END PGP SIGNATURE-----

Initial commit
`

    signature, payload, hasSig := gpgutil.ExtractSignature(commitContent)
    fmt.Printf("Has signature: %v\n", hasSig)
    fmt.Printf("Signature length: %d\n", len(signature))
    fmt.Printf("Payload length: %d\n", len(payload))
}
EOF

Notes

• The GPG verification backend is fully implemented
• UI components are not yet implemented - verification can only be done via API/database
• Future updates will add visual indicators in the web UI
• Commit signature verification is automatic when GPG keys are configured