From b0f52307a5daa29fc453c09a0600733ab69991e1 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Wed, 13 May 2026 14:10:35 -0300
Subject: [PATCH 1/2] feat: sign commits

---
 .env.sample          |  7 +++++++
 README.md            | 13 +++++++++++++
 abra.sh              |  2 +-
 app.ini.tmpl         | 13 +++++++++++++
 compose.signing.yml  | 14 ++++++++++++++
 docker-setup.sh.tmpl |  7 +++++++
 6 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 compose.signing.yml

diff --git a/.env.sample b/.env.sample
index 3a9e833..49165f8 100644
--- a/.env.sample
+++ b/.env.sample
@@ -68,6 +68,13 @@ GITEA_STORAGE_TYPE=local
 # MINIO_CHECKSUM_ALGORITHM=default
 # COMPOSE_FILE="$COMPOSE_FILE:compose.s3.yml"
 
+# Instance Commit Signing
+# https://forgejo.org/docs/latest/admin/advanced/signing/
+# COMPOSE_FILE="$COMPOSE_FILE:compose.signing.yml"
+# GITEA_SIGNING_ENABLED=1
+# SECRET_SIGNING_PUBLIC_KEY_VERSION=v1
+# SECRET_SIGNING_PRIVATE_KEY_VERSION=v1
+
 # SMTP Mailer
 # COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 # GITEA_SMTP_MAILER_ENABLED=1
diff --git a/README.md b/README.md
index 3fcd575..453b6e3 100644
--- a/README.md
+++ b/README.md
@@ -66,3 +66,16 @@ Note that gitea should be configured to listen to port 2222, i.e. `GITEA_SSH_POR
 Uncomment the Anubis compose file from the `.env` file and re-deploy the
 app.  Don't forget to actually [enable Anubis on the Traefik app
 too](https://recipes.coopcloud.tech/traefik)!
+
+## [Instance Commit Signing](https://forgejo.org/docs/latest/admin/advanced/signing/)
+
+To allow Forgejo to sign commits, uncomment the corresponding
+configuration block, and then generate and insert the SSH keys:
+
+```sh
+abra app config git.example.coop
+ssh-keygen -t ed25519
+app app secret insert git.example.coop signing_public_key v1 -f ~/.ssh/id_ed25519.pub
+app app secret insert git.example.coop signing_private_key v1 -f ~/.ssh/id_ed25519
+app app deploy git.example.coop
+```
diff --git a/abra.sh b/abra.sh
index bb62ece..9f43051 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,5 +1,5 @@
 export APP_INI_VERSION=v25
-export DOCKER_SETUP_SH_VERSION=v1
+export DOCKER_SETUP_SH_VERSION=v2
 export PG_BACKUP_VERSION=v1
 
 abra_backup_app() {
diff --git a/app.ini.tmpl b/app.ini.tmpl
index e260c79..9f9ace1 100644
--- a/app.ini.tmpl
+++ b/app.ini.tmpl
@@ -62,6 +62,18 @@ ALLOWED_TYPES = {{ env "GITEA_REPO_UPLOAD_ALLOWED_TYPES" }}
 FILE_MAX_SIZE = {{ env "GITEA_REPO_UPLOAD_MAX_SIZE" }}
 MAX_FILES = {{ env "GITEA_REPO_UPLOAD_MAX_FILES" }}
 
+{{ if eq (env "GITEA_SIGNING_ENABLED") "1" }}
+[repository.signing]
+FORMAT = ssh
+SIGNING_KEY = /var/lib/gitea/signing_key.pub
+SIGNING_NAME = {{ env "GITEA_APP_NAME" }}
+SIGNING_EMAIL = {{ env "GITEA_MAILER_FROM" }}
+INITIAL_COMMIT = always
+WIKI = always
+CRUD_ACTIONS = always
+MERGES = always
+{{ end }}
+
 [ui]
 SHOW_USER_EMAIL = {{ env "GITEA_SHOW_USER_EMAIL" }}
 
@@ -126,3 +138,4 @@ MODE=console
 LEVEL=WARN
 STACKTRACE_LEVEL=None
 ENABLE_XORM_LOG=false
+
diff --git a/compose.signing.yml b/compose.signing.yml
new file mode 100644
index 0000000..87f4124
--- /dev/null
+++ b/compose.signing.yml
@@ -0,0 +1,14 @@
+version: '3.8'
+
+services:
+  app:
+    secrets:
+    - signing_public_key
+    - signing_private_key
+secrets:
+  signing_public_key:
+    name: ${STACK_NAME}_signing_public_key_${SECRET_SIGNING_PUBLIC_KEY_VERSION}
+    external: true
+  signing_private_key:
+    name: ${STACK_NAME}_signing_private_key_${SECRET_SIGNING_PRIVATE_KEY_VERSION}
+    external: true
diff --git a/docker-setup.sh.tmpl b/docker-setup.sh.tmpl
index 310e8f7..5674e32 100644
--- a/docker-setup.sh.tmpl
+++ b/docker-setup.sh.tmpl
@@ -13,3 +13,10 @@ mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}
 # Prepare temp folder
 mkdir -p ${GITEA_TEMP} && chmod 0700 ${GITEA_TEMP}
 if [ ! -w ${GITEA_TEMP} ]; then echo "${GITEA_TEMP} is not writable"; exit 1; fi
+
+if [ -e /run/secrets/signing_public_key ] ; then
+  cat /run/secrets/signing_public_key > /var/lib/gitea/signing_key.pub
+  cat /run/secrets/signing_private_key > /var/lib/gitea/signing_key
+
+  chmod 400 /var/lib/gitea/signing_key*
+fi
-- 
2.49.0


From 000de73bb3e395f9e51553fc63db4fabb5839c37 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Sat, 16 May 2026 13:10:16 -0300
Subject: [PATCH 2/2] fix: allow key rotation

---
 docker-setup.sh.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-setup.sh.tmpl b/docker-setup.sh.tmpl
index 5674e32..1e08148 100644
--- a/docker-setup.sh.tmpl
+++ b/docker-setup.sh.tmpl
@@ -18,5 +18,5 @@ if [ -e /run/secrets/signing_public_key ] ; then
   cat /run/secrets/signing_public_key > /var/lib/gitea/signing_key.pub
   cat /run/secrets/signing_private_key > /var/lib/gitea/signing_key
 
-  chmod 400 /var/lib/gitea/signing_key*
+  chmod 600 /var/lib/gitea/signing_key*
 fi
-- 
2.49.0