feat: use AppDomain for key verification (#10429)

Fixes #10416 Followup to a hardcoded string in [gitea#17743](https://github.com/go-gitea/gitea/pull/17743) * instead of using a hardcoded namespace, use the configured application domain * `ssh-keygen` refuses to work with empty namespace, but `Domain` falls back to `localhost`: 95dca7ff57/modules/setting/server.go (L192) * since `VerifySSHKey` verifies the namespace, I think that using a mostly-unique string instead of a hardcoded one doesn't hurt. Here's what `man ssh-keygen` says on the topic: > An additional signature namespace, used to prevent signature confusion across different domains of use (e.g. file signing vs email signing) must be provided via the -n flag. Namespaces are arbitrary strings, and may include: “file” for file signing, “email” for email signing. For custom uses, it is recommended to use names following a NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. ## Testing There's a test `TestFromOpenSSH` but it uses a hardcoded default namespace `file`: 95dca7ff57/models/asymkey/ssh_key_test.go (L334) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10429 Reviewed-by: Beowulf <beowulf@beocode.eu> Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>
2026-05-12 22:10:25 +00:00 · 2025-12-17 17:01:14 +01:00 · 2025-12-17 17:01:14 +01:00 · 1ef5496055
commit 1ef5496055
parent e7f5c492f3
2 changed files with 7 additions and 6 deletions
--- a/templates/user/settings/keys_ssh.tmpl
+++ b/templates/user/settings/keys_ssh.tmpl
@ -78,19 +78,19 @@
 							<div class="help">
 								<br>
 								<p>{{ctx.Locale.Tr "settings.ssh_token_help"}}</p>
-								<div class="markup"><pre class="code-block"><code>echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f ~/.ssh/id_ed25519 # or the path to the private key if it is different.</code></pre></div>
+								<div class="markup"><pre class="code-block"><code>echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n {{AppDomain}} -f ~/.ssh/id_ed25519 # or the path to the private key if it is different.</code></pre></div>
 								<br>
 								<p>{{ctx.Locale.Tr "settings.ssh_token_help_ssh_agent"}}</p>
-								<div class="markup"><pre class="code-block"><code>bash -c "echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n gitea -f <(echo '{{.OmitEmail}}')"</code></pre></div>
+								<div class="markup"><pre class="code-block"><code>bash -c "echo -n '{{$.TokenToSign}}' | ssh-keygen -Y sign -n {{AppDomain}} -f <(echo '{{.OmitEmail}}')"</code></pre></div>
 								<br>
 								<details>
 									<summary>Windows PowerShell</summary>
-									<div class="markup"><pre class="code-block"><code>cmd /c "&lt;NUL set /p=`"{{$.TokenToSign}}`"| ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey"</code></pre></div>
+									<div class="markup"><pre class="code-block"><code>cmd /c "&lt;NUL set /p=`"{{$.TokenToSign}}`"| ssh-keygen -Y sign -n {{AppDomain}} -f /path_to_PrivateKey_or_RelatedPublicKey"</code></pre></div>
 								</details>
 								<br>
 								<details>
 									<summary>Windows CMD</summary>
-									<div class="markup"><pre class="code-block"><code>&lt;NUL set /p="{{$.TokenToSign}}"| ssh-keygen -Y sign -n gitea -f /path_to_PrivateKey_or_RelatedPublicKey</code></pre></div>
+									<div class="markup"><pre class="code-block"><code>&lt;NUL set /p="{{$.TokenToSign}}"| ssh-keygen -Y sign -n {{AppDomain}} -f /path_to_PrivateKey_or_RelatedPublicKey</code></pre></div>
 								</details>
 							</div>
 							<br>