SSH commit signatures are unverified in the web UI if the noreply email address is used #11812

New Issue

GiteaMirror · 2025-11-02T09:48:32-06:00

GiteaMirror commented

2025-11-02 09:48:32 -06:00

Originally created by @6t8k on GitHub (Oct 8, 2023).

Description

Use case
Wanting to use an email address that cannot receive email (and therefore cannot be activated), and wanting to use SSH commit signatures at the same time.

The issue
Currently, SSH-signed commits are only shown as verified in the web UI if an activated email address (Settings -> Account -> Manage Email Addresses) is used as the committer email address.

If the noreply email address is used (the one that is automatically used e.g. when commiting via the web UI), then the web UI shows the SSH-signed commits to be unverified: "No known key found for this signature in database".

Please inspect https://try.gitea.io/6t8k/ssh-sign-noreplyaddress-test/commits/branch/main
and specifically this commit for a live demonstration of the issue.

Possible solution
From the noreply email address, which has the form <username>@noreply.<gitea-hostname>, it should be possible to associate the signature with the respective user's SSH key in order to verify the signature.

Additional context
With GPG commit signatures, it is already possible to sign commits that use the noreply email address and also have them shown as verified in Gitea's web UI.

GitHub does not have the hereby-reported issue: it shows SSH-signed commits as verified in the web UI even if the committer uses their individual GitHub-provided noreply email address.

Gitea Version

1.22.0+dev-139-g4335c332b

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Please inspect https://try.gitea.io/6t8k/ssh-sign-noreplyaddress-test/commits/branch/main for a live demonstration of the issue.

Git Version

No response

Operating System

Linux

How are you running Gitea?

The issue can be demonstrated on https://try.gitea.io. At the time of writing, it reported its version as 1.22.0+dev-140-g0c2a3f4cd.

The issue is also reproducible on a local Gitea 1.20.5 as well as 1.22.0+dev-139-g4335c332b (:nightly) installation on linux/amd64 following https://docs.gitea.com/installation/install-with-docker.

Database

SQLite

Originally created by @6t8k on GitHub (Oct 8, 2023). ### Description **Use case** Wanting to use an email address that cannot receive email (and therefore cannot be activated), and wanting to use SSH commit signatures at the same time. **The issue** Currently, SSH-signed commits are only shown as verified in the web UI if an activated email address (`Settings -> Account -> Manage Email Addresses`) is used as the committer email address. If the _noreply_ email address is used (the one that is automatically used e.g. when commiting via the web UI), then the web UI shows the SSH-signed commits to be unverified: _"No known key found for this signature in database"_. Please inspect https://try.gitea.io/6t8k/ssh-sign-noreplyaddress-test/commits/branch/main and specifically [this commit](https://try.gitea.io/6t8k/ssh-sign-noreplyaddress-test/commit/4132db9e0b82064c2d2c87ba45e41f101f6ffaca) for a live demonstration of the issue. **Possible solution** From the noreply email address, which has the form `<username>@noreply.<gitea-hostname>`, it should be possible to associate the signature with the respective user's SSH key in order to verify the signature. **Additional context** With GPG commit signatures, it is already possible to sign commits that use the _noreply_ email address and also have them shown as verified in Gitea's web UI. GitHub does not have the hereby-reported issue: it shows SSH-signed commits as verified in the web UI even if the committer uses their individual GitHub-provided _noreply_ email address. ### Gitea Version 1.22.0+dev-139-g4335c332b ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots ![ssh-sign-noreplyaddress](https://github.com/go-gitea/gitea/assets/58048945/15900755-e653-4ce1-a780-70201b9b754d) Please inspect https://try.gitea.io/6t8k/ssh-sign-noreplyaddress-test/commits/branch/main for a live demonstration of the issue. ### Git Version _No response_ ### Operating System Linux ### How are you running Gitea? The issue can be demonstrated on https://try.gitea.io. At the time of writing, it reported its version as `1.22.0+dev-140-g0c2a3f4cd`. The issue is also reproducible on a local Gitea `1.20.5` as well as `1.22.0+dev-139-g4335c332b` (`:nightly`) installation on `linux/amd64` following https://docs.gitea.com/installation/install-with-docker. ### Database SQLite

GiteaMirror commented

2025-11-02 09:48:33 -06:00

@zeripath commented on GitHub (Oct 9, 2023):

These commits can't be automatically verified you need to add the no-reply address to your key as an address it verifies.

@zeripath commented on GitHub (Oct 9, 2023): These commits can't be automatically verified you need to add the no-reply address to your key as an address it verifies.

GiteaMirror commented

2025-11-02 09:48:34 -06:00

@6t8k commented on GitHub (Oct 9, 2023):

@zeripath How would I do that? The key is verified, has my noreply address for try.gitea.io set as comment, and I put that same email address into the Key Name input field in the web UI when entering the key into Gitea:

Is there another way to link an email address to an SSH key?

@6t8k commented on GitHub (Oct 9, 2023): @zeripath How would I do that? The key is verified, has my noreply address for try.gitea.io set as comment, and I put that same email address into the _Key Name_ input field in the web UI when entering the key into Gitea: ![ssh-publickey](https://github.com/go-gitea/gitea/assets/58048945/08eb3bc3-db7b-4ff2-a891-34b436cf2977) Is there another way to link an email address to an SSH key?

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11812