From 8809db41d8085d10c1355d101c4afd58148418bb Mon Sep 17 00:00:00 2001 From: silverwind <2021+silverwind@noreply.gitea.com> Date: Sun, 8 Mar 2026 18:20:51 +0000 Subject: [PATCH] Fix signed pushes documentation (#351) Now actually tested and working. All that's needed is the nonce in the gitea config. Reviewed-on: https://gitea.com/gitea/docs/pulls/351 Reviewed-by: Lunny Xiao --- docs/administration/customizing-gitea.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/administration/customizing-gitea.md b/docs/administration/customizing-gitea.md index 3439febd..100a570a 100644 --- a/docs/administration/customizing-gitea.md +++ b/docs/administration/customizing-gitea.md @@ -394,15 +394,16 @@ Starting with Gitea 1.20, you can customize the git configuration via the `git.c ### Enabling signed git pushes -To enable signed git pushes, set these two options: +[Signed pushes](https://git-scm.com/docs/git-push#Documentation/git-push.txt---signedtruefalseif-asked) allow clients to cryptographically sign the push operation itself (not just individual commits). To enable signed pushes, add the following to `app.ini`: ```ini [git.config] -receive.advertisePushOptions = true receive.certNonceSeed = ``` -`certNonceSeed` should be set to a random string and be kept secret. +`certNonceSeed` should be set to a random string and be kept secret. It is used to generate anti-replay nonces. Gitea already sets `receive.advertisePushOptions = true` by default, so no additional configuration is needed. Note that Gitea does not read `/etc/gitconfig`, so this option must be set via `app.ini` as shown above. + +On the client side, pushes can be signed via `git push --signed` or enabled permanently using `git config --global push.gpgSign if-asked`. ### Labels