I am pretty new to Gitea and made a testinstallation, so I hope my question does not sound to stupid.
I created a test repository and a testfile
- commit #1 from remote machine with TortoiseGit and an user info name “foo”
- commit #2 from web interface (username “testuser”)
- commit #3 again from temote machine but with user info name “testuser”
The only commit that was linked to the testuser is the one created on the web interface, but none from the remote location. All commits were made with the the testusers’ credentials.
Is there an option I did not yet find on the cheat sheet or documentation to force/link the Author of a commit to the username it was committed from? I would expect all three Authors to be “linked” to the testuser.
Gitea links commits by email address, so in order to link those commits they would need to send in a full signature with an email.
Thanks for that information John. I was able to make the desired commit, but run into another issue.
I was able to fake an “Administrator” commit from the non-priviledged testuser account:
I think it should not be possible and forbitten by all means to commit as another user just by knowing the users email address (and maybe the display name to look 100% genuine). Was this already discussed before?
This is actually the reason to sign your commits with GPG. If you take a look at this repository on GitHub, you will see the latest commit appears to be from @techknowlogick when in fact I simply spoofed a commit.
1 Like
Ok , I see, but don’t understand what the benefit is. So it is basically a feature of git?
Is there a way (e.g. implementing a configuration flag) to disallow this?
I have not yet found the right starting point in the gitea files.
Enforcing signed commits is configurable per-repository in branch protection settings in 1.12.0 and above.
We are currently working to release 1.11.0, so 1.12.0 may be a way off yet.
Until then, I believe you can enforce signed commits with git hooks. Example
Yes, I noticed that 1.11.0 is in pre-release state which I already have installed on a container for testing.
Thanks a lot for the example and the information that there is an upcoming solution in the near future.
I will implement the block script for now.
Thanks John 
1 Like
