tickets #169426
openCommit signing for Weblate
100%
Description
Hello,
https://l10n.opensuse.org/ is not signing the Git commits as of today, which is considered a good practice to ensure that the commit author can be verified (in this case it would be the automation).
This would allow repositories with translations coming from weblate, to enforce commit signing, which is now possible right now. Otherwise it can't be enforced as it's only allowed for everyone or for nobody (otherwise people can't prepare ports that include commits that are not signed, as those from weblate are).
Weblate has this functionality: https://docs.weblate.org/en/latest/admin/config.html#std-setting-WEBLATE_GPG_IDENTITY
It means providing a private key, and adding it to the configuration, and of course then adding the public part to the user submitting to GitHub, Gitlab, etc.
While I understand l10n.opensuse.org is now not managed by openSUSE, maybe you can talk to their administrators?
I sent them a message 3-4 weeks ago via https://l10n.opensuse.org/contact/, but so far I didn't receive feedback (no clue if the form even works, it didn't send me a copy of the message).
Thanks!
Updated by crameleon about 2 months ago
- Category set to Weblate
- Assignee set to weblate-admins
- Private changed from Yes to No
Updated by sbrabec about 2 months ago
The form worked and I read the message.
I read the documentation and checked the options available to the Weblate Hosted admin. It seems that the turning it on needs a higher level of admin privileges that we don't have (edit weblate configuration file).
I just contacted Benjamin Alan Jamie | Weblate benjamin@weblate.org and waiting for the response.
Updated by sbrabec about 2 months ago ยท Edited
Alice Visek via Weblate Care care@weblate.org
Hello Stanislav,
yes, we can change this configuration for you. In order to do this, we need to know, which keys you would like to use. There are two options:
- We can generate new keys and share them with you.
- We can use your existing key. In such case, you may share the keys into file on this link: https://nextcloud.weblate.org/s/xxxxxxxxxxxxxx Password: xxxxxxxxxx
Which option do you prefer?
Once you let us know, we will be able to change the configuration for you.
Kind regards
Alice
--
Weblate
From: Stanislav Brabec
openSUSE Weblate has never used GPG signing yet for any purpose, so we
don't have any. Please generate a new pair.
Thank you.
Updated by sbrabec about 1 month ago
- % Done changed from 0 to 60
Benjamin Alan Jamie via Weblate Care
13:23 (3 hours ago)
to: me
Hello Standa,
We have set it up with the e-mail weblate-noreply@opensuse.org, you can find the keys at https://l10n.opensuse.org/keys/.
Kind regards,
Benjamin
Note: I contacted openSUSE mail admin and try to verify this e-mail address at GitHub, so it will be associated with https://github.com/opensuse-i18n
Updated by crameleon about 1 month ago
- Related to tickets #169993: I need to verify weblate-noreply@opensuse.org added
Updated by sbrabec about 1 month ago
- % Done changed from 60 to 80
And now weblate-noreply@opensuse.org is a verified e-mail for https://github.com/opensuse-i18n (see https://progress.opensuse.org/issues/169993), so it is properly associated with the GitHub account.
Please test whether it works as expected or there is still some work needed to be done.
Updated by sbrabec about 1 month ago
- % Done changed from 80 to 100
The key is now deployed to GitHub and commits are verified.
Example: https://github.com/openSUSE/libzypp/commit/9f04c4a7185d9316010f92e9d24ad161c417dea1