feat(github): support GPG verification (#7996 close #7986)

* feat(github): support GPG verification

* chore

Author: KirCute

drivers/github/driver.go

@@ -3,7 +3,6 @@ package github
 import (
 	"context"
 	"encoding/base64"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -12,12 +11,14 @@ import (
 	"sync"
 	"text/template"
 
+	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/alist-org/alist/v3/drivers/base"
 	"github.com/alist-org/alist/v3/internal/driver"
 	"github.com/alist-org/alist/v3/internal/errs"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/go-resty/resty/v2"
+	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -33,6 +34,7 @@ type Github struct {
 	moveMsgTmpl   *template.Template
 	isOnBranch    bool
 	commitMutex   sync.Mutex
+	pgpEntity     *openpgp.Entity
 }
 
 func (d *Github) Config() driver.Config {
@@ -102,6 +104,26 @@ func (d *Github) Init(ctx context.Context) error {
 		_, err = d.getBranchHead()
 		d.isOnBranch = err == nil
 	}
+	if d.GPGPrivateKey != "" {
+		if d.CommitterName == "" || d.AuthorName == "" {
+			user, e := d.getAuthenticatedUser()
+			if e != nil {
+				return e
+			}
+			if d.CommitterName == "" {
+				d.CommitterName = user.Name
+				d.CommitterEmail = user.Email
+			}
+			if d.AuthorName == "" {
+				d.AuthorName = user.Name
+				d.AuthorEmail = user.Email
+			}
+		}
+		d.pgpEntity, err = loadPrivateKey(d.GPGPrivateKey, d.GPGKeyPassphrase)
+		if err != nil {
+			return err
+		}
+	}
 	return nil
 }
 
@@ -174,10 +196,39 @@ func (d *Github) MakeDir(ctx context.Context, parentDir model.Obj, dirName strin
 	if parent.Entries == nil {
 		return errs.NotFolder
 	}
-	// if parent folder contains .gitkeep only, mark it and delete .gitkeep later
-	gitKeepSha := ""
+	subDirSha, err := d.newTree("", []interface{}{
+		map[string]string{
+			"path":    ".gitkeep",
+			"mode":    "100644",
+			"type":    "blob",
+			"content": "",
+		},
+	})
+	if err != nil {
+		return err
+	}
+	newTree := make([]interface{}, 0, 2)
+	newTree = append(newTree, TreeObjReq{
+		Path: dirName,
+		Mode: "040000",
+		Type: "tree",
+		Sha:  subDirSha,
+	})
 	if len(parent.Entries) == 1 && parent.Entries[0].Name == ".gitkeep" {
-		gitKeepSha = parent.Entries[0].Sha
+		newTree = append(newTree, TreeObjReq{
+			Path: ".gitkeep",
+			Mode: "100644",
+			Type: "blob",
+			Sha:  nil,
+		})
+	}
+	newSha, err := d.newTree(parent.Sha, newTree)
+	if err != nil {
+		return err
+	}
+	rootSha, err := d.renewParentTrees(parentDir.GetPath(), parent.Sha, newSha, "/")
+	if err != nil {
+		return err
 	}
 
 	commitMessage, err := getMessage(d.mkdirMsgTmpl, &MessageTemplateVars{
@@ -190,13 +241,7 @@ func (d *Github) MakeDir(ctx context.Context, parentDir model.Obj, dirName strin
 	if err != nil {
 		return err
 	}
-	if err = d.createGitKeep(stdpath.Join(parentDir.GetPath(), dirName), commitMessage); err != nil {
-		return err
-	}
-	if gitKeepSha != "" {
-		err = d.delete(stdpath.Join(parentDir.GetPath(), ".gitkeep"), gitKeepSha, commitMessage)
-	}
-	return err
+	return d.commit(commitMessage, rootSha)
 }
 
 func (d *Github) Move(ctx context.Context, srcObj, dstDir model.Obj) error {
@@ -639,24 +684,6 @@ func (d *Github) get(path string) (*Object, error) {
 	return &resp, err
 }
 
-func (d *Github) createGitKeep(path, message string) error {
-	body := map[string]interface{}{
-		"message": message,
-		"content": "",
-		"branch":  d.Ref,
-	}
-	d.addCommitterAndAuthor(&body)
-
-	res, err := d.client.R().SetBody(body).Put(d.getContentApiUrl(stdpath.Join(path, ".gitkeep")))
-	if err != nil {
-		return err
-	}
-	if res.StatusCode() != 200 && res.StatusCode() != 201 {
-		return toErr(res)
-	}
-	return nil
-}
-
 func (d *Github) putBlob(ctx context.Context, s model.FileStreamer, up driver.UpdateProgress) (string, error) {
 	beforeContent := "{\"encoding\":\"base64\",\"content\":\""
 	afterContent := "\"}"
@@ -717,23 +744,6 @@ func (d *Github) putBlob(ctx context.Context, s model.FileStreamer, up driver.Up
 	return resp.Sha, nil
 }
 
-func (d *Github) delete(path, sha, message string) error {
-	body := map[string]interface{}{
-		"message": message,
-		"sha":     sha,
-		"branch":  d.Ref,
-	}
-	d.addCommitterAndAuthor(&body)
-	res, err := d.client.R().SetBody(body).Delete(d.getContentApiUrl(path))
-	if err != nil {
-		return err
-	}
-	if res.StatusCode() != 200 {
-		return toErr(res)
-	}
-	return nil
-}
-
 func (d *Github) renewParentTrees(path, prevSha, curSha, until string) (string, error) {
 	for path != until {
 		path = stdpath.Dir(path)
@@ -795,11 +805,11 @@ func (d *Github) getTreeDirectly(path string) (*TreeResp, string, error) {
 }
 
 func (d *Github) newTree(baseSha string, tree []interface{}) (string, error) {
-	res, err := d.client.R().
-		SetBody(&TreeReq{
-			BaseTree: baseSha,
-			Trees:    tree,
-		}).
+	body := &TreeReq{Trees: tree}
+	if baseSha != "" {
+		body.BaseTree = baseSha
+	}
+	res, err := d.client.R().SetBody(body).
 		Post(fmt.Sprintf("https://api.github.com/repos/%s/%s/git/trees", d.Owner, d.Repo))
 	if err != nil {
 		return "", err
@@ -822,6 +832,13 @@ func (d *Github) commit(message, treeSha string) error {
 		"parents": []string{oldCommit},
 	}
 	d.addCommitterAndAuthor(&body)
+	if d.pgpEntity != nil {
+		signature, e := signCommit(&body, d.pgpEntity)
+		if e != nil {
+			return e
+		}
+		body["signature"] = signature
+	}
 	res, err := d.client.R().SetBody(body).Post(fmt.Sprintf("https://api.github.com/repos/%s/%s/git/commits", d.Owner, d.Repo))
 	if err != nil {
 		return err
@@ -925,6 +942,21 @@ func (d *Github) getRepo() (*RepoResp, error) {
 	return &resp, nil
 }
 
+func (d *Github) getAuthenticatedUser() (*UserResp, error) {
+	res, err := d.client.R().Get("https://api.github.com/user")
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode() != 200 {
+		return nil, toErr(res)
+	}
+	resp := &UserResp{}
+	if err = utils.Json.Unmarshal(res.Body(), resp); err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
+
 func (d *Github) addCommitterAndAuthor(m *map[string]interface{}) {
 	if d.CommitterName != "" {
 		committer := map[string]string{

drivers/github/meta.go

@@ -7,21 +7,23 @@ import (
 
 type Addition struct {
 	driver.RootPath
-	Token           string `json:"token" type:"string"`
-	Owner           string `json:"owner" type:"string" required:"true"`
-	Repo            string `json:"repo" type:"string" required:"true"`
-	Ref             string `json:"ref" type:"string" help:"A branch, a tag or a commit SHA, main branch by default."`
-	GitHubProxy     string `json:"gh_proxy" type:"string" help:"GitHub proxy, e.g. https://ghproxy.net/raw.githubusercontent.com or https://gh-proxy.com/raw.githubusercontent.com"`
-	CommitterName   string `json:"committer_name" type:"string"`
-	CommitterEmail  string `json:"committer_email" type:"string"`
-	AuthorName      string `json:"author_name" type:"string"`
-	AuthorEmail     string `json:"author_email" type:"string"`
-	MkdirCommitMsg  string `json:"mkdir_commit_message" type:"text" default:"{{.UserName}} mkdir {{.ObjPath}}"`
-	DeleteCommitMsg string `json:"delete_commit_message" type:"text" default:"{{.UserName}} remove {{.ObjPath}}"`
-	PutCommitMsg    string `json:"put_commit_message" type:"text" default:"{{.UserName}} upload {{.ObjPath}}"`
-	RenameCommitMsg string `json:"rename_commit_message" type:"text" default:"{{.UserName}} rename {{.ObjPath}} to {{.TargetName}}"`
-	CopyCommitMsg   string `json:"copy_commit_message" type:"text" default:"{{.UserName}} copy {{.ObjPath}} to {{.TargetPath}}"`
-	MoveCommitMsg   string `json:"move_commit_message" type:"text" default:"{{.UserName}} move {{.ObjPath}} to {{.TargetPath}}"`
+	Token            string `json:"token" type:"string" required:"true"`
+	Owner            string `json:"owner" type:"string" required:"true"`
+	Repo             string `json:"repo" type:"string" required:"true"`
+	Ref              string `json:"ref" type:"string" help:"A branch, a tag or a commit SHA, main branch by default."`
+	GitHubProxy      string `json:"gh_proxy" type:"string" help:"GitHub proxy, e.g. https://ghproxy.net/raw.githubusercontent.com or https://gh-proxy.com/raw.githubusercontent.com"`
+	GPGPrivateKey    string `json:"gpg_private_key" type:"text"`
+	GPGKeyPassphrase string `json:"gpg_key_passphrase" type:"string"`
+	CommitterName    string `json:"committer_name" type:"string"`
+	CommitterEmail   string `json:"committer_email" type:"string"`
+	AuthorName       string `json:"author_name" type:"string"`
+	AuthorEmail      string `json:"author_email" type:"string"`
+	MkdirCommitMsg   string `json:"mkdir_commit_message" type:"text" default:"{{.UserName}} mkdir {{.ObjPath}}"`
+	DeleteCommitMsg  string `json:"delete_commit_message" type:"text" default:"{{.UserName}} remove {{.ObjPath}}"`
+	PutCommitMsg     string `json:"put_commit_message" type:"text" default:"{{.UserName}} upload {{.ObjPath}}"`
+	RenameCommitMsg  string `json:"rename_commit_message" type:"text" default:"{{.UserName}} rename {{.ObjPath}} to {{.TargetName}}"`
+	CopyCommitMsg    string `json:"copy_commit_message" type:"text" default:"{{.UserName}} copy {{.ObjPath}} to {{.TargetPath}}"`
+	MoveCommitMsg    string `json:"move_commit_message" type:"text" default:"{{.UserName}} move {{.ObjPath}} to {{.TargetPath}}"`
 }
 
 var config = driver.Config{

drivers/github/types.go

@@ -79,7 +79,7 @@ type TreeResp struct {
 }
 
 type TreeReq struct {
-	BaseTree string        `json:"base_tree"`
+	BaseTree interface{}   `json:"base_tree,omitempty"`
 	Trees    []interface{} `json:"tree"`
 }
 
@@ -100,3 +100,8 @@ type UpdateRefReq struct {
 type RepoResp struct {
 	DefaultBranch string `json:"default_branch"`
 }
+
+type UserResp struct {
+	Name  string `json:"name"`
+	Email string `json:"email"`
+}

drivers/github/util.go

@@ -1,14 +1,20 @@
 package github
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
+	"io"
+	"strings"
+	"text/template"
+	"time"
+
+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/go-resty/resty/v2"
-	"strings"
-	"text/template"
 )
 
 type MessageTemplateVars struct {
@@ -97,3 +103,65 @@ func getUsername(ctx context.Context) string {
 	}
 	return user.Username
 }
+
+func loadPrivateKey(key, passphrase string) (*openpgp.Entity, error) {
+	entityList, err := openpgp.ReadArmoredKeyRing(strings.NewReader(key))
+	if err != nil {
+		return nil, err
+	}
+	if len(entityList) < 1 {
+		return nil, fmt.Errorf("no keys found in key ring")
+	}
+	entity := entityList[0]
+
+	pass := []byte(passphrase)
+	if entity.PrivateKey != nil && entity.PrivateKey.Encrypted {
+		if err = entity.PrivateKey.Decrypt(pass); err != nil {
+			return nil, fmt.Errorf("password incorrect: %+v", err)
+		}
+	}
+	for _, subKey := range entity.Subkeys {
+		if subKey.PrivateKey != nil && subKey.PrivateKey.Encrypted {
+			if err = subKey.PrivateKey.Decrypt(pass); err != nil {
+				return nil, fmt.Errorf("password incorrect: %+v", err)
+			}
+		}
+	}
+	return entity, nil
+}
+
+func signCommit(m *map[string]interface{}, entity *openpgp.Entity) (string, error) {
+	var commit strings.Builder
+	commit.WriteString(fmt.Sprintf("tree %s\n", (*m)["tree"].(string)))
+	parents := (*m)["parents"].([]string)
+	for _, p := range parents {
+		commit.WriteString(fmt.Sprintf("parent %s\n", p))
+	}
+	now := time.Now()
+	_, offset := now.Zone()
+	hour := offset / 3600
+	author := (*m)["author"].(map[string]string)
+	commit.WriteString(fmt.Sprintf("author %s <%s> %d %+03d00\n", author["name"], author["email"], now.Unix(), hour))
+	author["date"] = now.Format(time.RFC3339)
+	committer := (*m)["committer"].(map[string]string)
+	commit.WriteString(fmt.Sprintf("committer %s <%s> %d %+03d00\n", committer["name"], committer["email"], now.Unix(), hour))
+	committer["date"] = now.Format(time.RFC3339)
+	commit.WriteString(fmt.Sprintf("\n%s", (*m)["message"].(string)))
+	data := commit.String()
+
+	var sigBuffer bytes.Buffer
+	err := openpgp.DetachSign(&sigBuffer, entity, strings.NewReader(data), nil)
+	if err != nil {
+		return "", fmt.Errorf("signing failed: %v", err)
+	}
+	var armoredSig bytes.Buffer
+	armorWriter, err := armor.Encode(&armoredSig, "PGP SIGNATURE", nil)
+	if err != nil {
+		return "", err
+	}
+	if _, err = io.Copy(armorWriter, &sigBuffer); err != nil {
+		return "", err
+	}
+	_ = armorWriter.Close()
+	return armoredSig.String(), nil
+}

go.mod

@@ -7,6 +7,7 @@ toolchain go1.23.1
 require (
 	github.com/KirCute/ftpserverlib-pasvportmap v1.25.0
 	github.com/KirCute/sftpd-alist v0.0.12
+	github.com/ProtonMail/go-crypto v1.0.0
 	github.com/SheltonZhu/115driver v1.0.34
 	github.com/Xhofe/go-cache v0.0.0-20240804043513-b1a71927bc21
 	github.com/Xhofe/rateg v0.0.0-20230728072201-251a4e1adad4
@@ -90,6 +91,7 @@ require (
 	github.com/bytedance/sonic/loader v0.1.1 // indirect
 	github.com/charmbracelet/x/ansi v0.2.3 // indirect
 	github.com/charmbracelet/x/term v0.2.0 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect