github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-11 17:46:29 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Pushing new branch fails if new branch is covered by rule requiring signed commits #11126

New Issue
Closed
opened 2025-11-02 09:28:18 -06:00 by GiteaMirror · 8 comments
GiteaMirror commented 2025-11-02 09:28:18 -06:00
Owner
Copy Link

Originally created by @Craig-Holmquist-NTI on GitHub (Jun 28, 2023).

Description

If a new branch is pushed, and the repository has a rule that would require signed commits for the new branch, the commit is rejected with a 500 error regardless of whether it's signed.

When pushing a new branch, the "old" commit is the empty ID (0000000000000000000000000000000000000000). verifyCommits has no provision for this and passes an invalid commit range to git rev-list. Prior to 1.19 this wasn't an issue because only pre-existing individual branches could be protected.

I was able to reproduce with https://try.gitea.io/CraigTest/test, which is set up with a blanket rule to require commits on all branches.

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

https://gist.github.com/Craig-Holmquist-NTI/1267366c5beb28eb38b8c49cd3de7f5c

Screenshots

No response

Git Version

2.41.0.windows.1

Operating System

Windows 10

How are you running Gitea?

gitea-1.19.3-windows-4.0-amd64.exe binary downloaded from gitea.com, run from command line in a simple test environment

Database

SQLite

Originally created by @Craig-Holmquist-NTI on GitHub (Jun 28, 2023). ### Description If a new branch is pushed, and the repository has a rule that would require signed commits for the new branch, the commit is rejected with a 500 error regardless of whether it's signed. When pushing a new branch, the "old" commit is the empty ID (0000000000000000000000000000000000000000). verifyCommits has no provision for this and passes an invalid commit range to git rev-list. Prior to 1.19 this wasn't an issue because only pre-existing individual branches could be protected. I was able to reproduce with https://try.gitea.io/CraigTest/test, which is set up with a blanket rule to require commits on all branches. ### Gitea Version 1.19.3 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist https://gist.github.com/Craig-Holmquist-NTI/1267366c5beb28eb38b8c49cd3de7f5c ### Screenshots _No response_ ### Git Version 2.41.0.windows.1 ### Operating System Windows 10 ### How are you running Gitea? gitea-1.19.3-windows-4.0-amd64.exe binary downloaded from gitea.com, run from command line in a simple test environment ### Database SQLite
GiteaMirror added the issue/confirmedtype/bug labels 2025-11-02 09:28:18 -06:00
GiteaMirror commented 2025-11-02 09:28:19 -06:00
Author
Owner
Copy Link

@theanurin commented on GitHub (Aug 18, 2023):

+1 on docker-based gitea/gitea:1.20.2-rootless

Server Log

2023/08/18 10:26:58 ...hook_verification.go:49:verifyCommits() [E] Unable to check commits from 0000000000000000000000000000000000000000 to 8cba4b5f8f4d2411c39d1474b4e24b0aa82880a7 in /var/lib/gitea/git/repositories/xxxxx/xxxxx.git: exit status 128

2023/08/18 10:26:58 .../hook_pre_receive.go:209:preReceiveBranch() [E] Unable to check commits from 0000000000000000000000000000000000000000 to 8cba4b5f8f4d2411c39d1474b4e24b0aa82880a7 in <Repository 21:xxxxx/xxxxx>: exit status 128

Client Log

git push ......
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: 
remote: Gitea: Internal Server Error (no message for end users)
To ssh://git.xxxxxxxxx.xxx:xxxxx/xxxxx/xxxxx.git
 ! [remote rejected]     dev -> dev (pre-receive hook declined)
error: failed to push some refs to 'ssh://git.xxxxxxxxx.xxx:xxxxx/xxxxx/xxxxx.git'
@theanurin commented on GitHub (Aug 18, 2023): +1 on docker-based `gitea/gitea:1.20.2-rootless` ## Server Log ```text 2023/08/18 10:26:58 ...hook_verification.go:49:verifyCommits() [E] Unable to check commits from 0000000000000000000000000000000000000000 to 8cba4b5f8f4d2411c39d1474b4e24b0aa82880a7 in /var/lib/gitea/git/repositories/xxxxx/xxxxx.git: exit status 128 2023/08/18 10:26:58 .../hook_pre_receive.go:209:preReceiveBranch() [E] Unable to check commits from 0000000000000000000000000000000000000000 to 8cba4b5f8f4d2411c39d1474b4e24b0aa82880a7 in <Repository 21:xxxxx/xxxxx>: exit status 128 ``` ## Client Log ```shell git push ...... Total 0 (delta 0), reused 0 (delta 0), pack-reused 0 remote: remote: Gitea: Internal Server Error (no message for end users) To ssh://git.xxxxxxxxx.xxx:xxxxx/xxxxx/xxxxx.git ! [remote rejected] dev -> dev (pre-receive hook declined) error: failed to push some refs to 'ssh://git.xxxxxxxxx.xxx:xxxxx/xxxxx/xxxxx.git' ```
GiteaMirror commented 2025-11-02 09:28:19 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Aug 21, 2023):

I can reproduce this bug too.
The command git rev-list old...new can't handle the case of old is an empty ID. Does anyone have a solution to list the sha of G and H.
~E5CZAL 0CUQV`KXDJB0A7H

@CaiCandong commented on GitHub (Aug 21, 2023): I can reproduce this bug too. The command `git rev-list old...new` can't handle the case of old is an empty ID. Does anyone have a solution to list the `sha` of G and H. ![~E5CZAL 0CUQV`KXDJB0A7H](https://github.com/go-gitea/gitea/assets/50507092/23089f3f-1646-4f74-96f2-002e564940a9)
GiteaMirror commented 2025-11-02 09:28:20 -06:00
Author
Owner
Copy Link

@Craig-Holmquist-NTI commented on GitHub (Aug 21, 2023):

One solution (per https://stackoverflow.com/a/34902814) is to use:

git rev-list newCommitID --not --all

whenever the old commit ID is empty. This works because the new branch doesn't exist when the pre-receive hook is run, so it finds commits reachable from newCommitID but not from any pre-existing ref.

@Craig-Holmquist-NTI commented on GitHub (Aug 21, 2023): One solution (per https://stackoverflow.com/a/34902814) is to use: `git rev-list newCommitID --not --all` whenever the old commit ID is empty. This works because the new branch doesn't exist when the pre-receive hook is run, so it finds commits reachable from newCommitID but not from any pre-existing ref.
GiteaMirror commented 2025-11-02 09:28:20 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Aug 21, 2023):

git rev-list newCommitID --not --all

no work

@CaiCandong commented on GitHub (Aug 21, 2023): > git rev-list newCommitID --not --all no work
GiteaMirror commented 2025-11-02 09:28:20 -06:00
Author
Owner
Copy Link

@Craig-Holmquist-NTI commented on GitHub (Aug 21, 2023):

git rev-list newCommitID --not --all

no work

You'll have to provide a little more detail. It works in a fork my company's been using.

@Craig-Holmquist-NTI commented on GitHub (Aug 21, 2023): > > git rev-list newCommitID --not --all > > no work You'll have to provide a little more detail. It works in a fork my company's been using.
GiteaMirror commented 2025-11-02 09:28:20 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Aug 22, 2023):

@Craig-Holmquist-NTI
I modified the Gitea code to look like this :

image

but it did not work, the result of this command git rev-list newCommitID --not --all is empty

@CaiCandong commented on GitHub (Aug 22, 2023): @Craig-Holmquist-NTI I modified the Gitea code to look like this : ![image](https://github.com/go-gitea/gitea/assets/50507092/9faf2a4e-6024-4d05-a267-2f1a7f481393) but it did not work, the result of this command `git rev-list newCommitID --not --all` is empty
GiteaMirror commented 2025-11-02 09:28:20 -06:00
Author
Owner
Copy Link

@Craig-Holmquist-NTI commented on GitHub (Aug 22, 2023):

@CaiCandong
I think that code will run git rev-list --not --all newCommitID, not git rev-list newCommitID --not --all. newCommitID has to come before --not --all; otherwise the --not negates it too.

What ours looks like:

var cmd *git.Command
	
if oldCommitID == git.EmptySHA {
    cmd = git.NewCommand(repo.Ctx, "rev-list", newCommitID, "--not", "--all")
} else {
    cmd = git.NewCommand(repo.Ctx, "rev-list", oldCommitID+"..."+newCommitID) 
}
@Craig-Holmquist-NTI commented on GitHub (Aug 22, 2023): @CaiCandong I think that code will run `git rev-list --not --all newCommitID`, not `git rev-list newCommitID --not --all`. newCommitID has to come before `--not --all`; otherwise the `--not` negates it too. What ours looks like: ``` var cmd *git.Command if oldCommitID == git.EmptySHA { cmd = git.NewCommand(repo.Ctx, "rev-list", newCommitID, "--not", "--all") } else { cmd = git.NewCommand(repo.Ctx, "rev-list", oldCommitID+"..."+newCommitID) } ```
GiteaMirror commented 2025-11-02 09:28:21 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Aug 22, 2023):

I think that code will run git rev-list --not --all newCommitID

It worked, thank you very much!

@CaiCandong commented on GitHub (Aug 22, 2023): > I think that code will run `git rev-list --not --all newCommitID` It worked, thank you very much!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/confirmed type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11126
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?