github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-11 17:46:29 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

GPG not using correct UID #3257

New Issue
Closed
opened 2025-11-02 05:05:38 -06:00 by GiteaMirror · 14 comments
GiteaMirror commented 2025-11-02 05:05:38 -06:00
Owner
Copy Link

Originally created by @crabctrl on GitHub (Apr 27, 2019).

  • Gitea version (or commit ref): 1.7.0
  • Git version: 2.21.0
  • Operating system: Linux
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes
    • No
    • Not relevant

Description

My GPG key has a revoked UID attached to it (it was revoked since I no longer own the email address it refers to). My primary UID is valid, and the email address it points to has been added to my Gitea account. However, when trying to add my key, Gitea displays the old (revoked) UID as the primary, and any commits signed using the updated key are marked as No known key. I tried removing my old email address from my account, and now Gitea just says my I need to have my old address attached in order to load the key.

It seem that Gitea is not correctly loading the primary UID. In addition, the commits should still be verified even with the updated key; it should be loading all UIDs ideally. Any help would be greatly appreciated.

Originally created by @crabctrl on GitHub (Apr 27, 2019). - Gitea version (or commit ref): 1.7.0 - Git version: 2.21.0 - Operating system: Linux - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [x] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes - [ ] No - [ ] Not relevant ## Description My GPG key has a revoked UID attached to it (it was revoked since I no longer own the email address it refers to). My primary UID is valid, and the email address it points to has been added to my Gitea account. However, when trying to add my key, Gitea displays the old (revoked) UID as the primary, and any commits signed using the updated key are marked as `No known key`. I tried removing my old email address from my account, and now Gitea just says my I need to have my old address attached in order to load the key. It seem that Gitea is not correctly loading the primary UID. In addition, the commits should still be verified even with the updated key; it should be loading *all* UIDs ideally. Any help would be greatly appreciated.
GiteaMirror added the type/bug label 2025-11-02 05:05:38 -06:00
GiteaMirror commented 2025-11-02 05:05:39 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Apr 27, 2019):

Can you give your public gpg key that is problematic?

@lafriks commented on GitHub (Apr 27, 2019): Can you give your public gpg key that is problematic?
GiteaMirror commented 2025-11-02 05:05:40 -06:00
Author
Owner
Copy Link

@crabctrl commented on GitHub (Apr 27, 2019):

My key fingerprint is 0E72F749E5D4E92F1F1D5F2BCDAD63AE9DA934BE, the actual key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEXHmwNRYJKwYBBAHaRw8BAQdADJQJlOscbuBH+CyJC9GVm3kKBD0Az8Ew7yqy
MzQgwDm0KUFsZGVuIFBlZXRlcnMgPGFsZGVuLnBlZXRlcnNAbGVhZ3VlaC54eXo+
iJkEExYIAEECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGQEWIQQOcvdJ5dTp
Lx8dXyvNrWOunak0vgUCXMMqvAUJAkujhwAKCRDNrWOunak0vn92AQDmkeyYEmlx
cHrnnCJAHub3aq0/M960vqYKX+mpgXuapwD+LEEdQ1LDg+hmzaNsgF+JRI/GeRE+
NpH02rJydqnPmgOIjwQTFggAOBYhBA5y90nl1OkvHx1fK82tY66dqTS+BQJcwhFN
AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEM2tY66dqTS+508A+MZsy+wH
LD5gzke8keuZtsQwE4181PUN2YKr0pPQcJIBALHD2DIa0Zq91NiFRUq7wc8Bogsu
8ya4cjUZPf9RcdUBtCZBbGRlbiBQZWV0ZXJzIDxhbGRlbkBvcGVuZm9ydHJlc3Mu
eHl6PoiYBDAWCABAFiEEDnL3SeXU6S8fHV8rza1jrp2pNL4FAlzCEWUiHSBObyBs
b25nZXIgb3duIHRoaXMgZW1haWwgYWRkcmVzcwAKCRDNrWOunak0vsBhAP9ZxNlQ
q4ibb04LxQIwijK9brNge8Jqu2LInmcs0VXa9QD+JdkhYtRcFLXDyQi03uuAUa4y
hTYQvgeqP9EBllNbCwSIkAQTFggAOBYhBA5y90nl1OkvHx1fK82tY66dqTS+BQJc
ebA1AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEM2tY66dqTS+Rq4A/Az/
HkAVEFaIVR/E/IyfWpp30jhmior9iorrwR5zJcIXAQCqPRG7bKSv4t0M25z7MzGe
z4A8ru/O/2BWGbz3DwFoDrg4BFx5sDUSCisGAQQBl1UBBQEBB0C6aNJqaSPLAVVg
puuvK645awUD42NBnO863AVf23aXOgMBCAeIfgQYFggAJgIbDBYhBA5y90nl1Okv
Hx1fK82tY66dqTS+BQJcwyr7BQkCS6PGAAoJEM2tY66dqTS+J24BAJQE59jBQFwH
OYRCigOJJVsWWNs35TilZ1xaxs8mnDjHAQDo18Q/Uw1zBPH2Mr5LRAbQwnwoVwgU
FkzJRllII58iAA==
=SS9a
-----END PGP PUBLIC KEY BLOCK-----
@crabctrl commented on GitHub (Apr 27, 2019): My key fingerprint is `0E72F749E5D4E92F1F1D5F2BCDAD63AE9DA934BE`, the actual key is: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEXHmwNRYJKwYBBAHaRw8BAQdADJQJlOscbuBH+CyJC9GVm3kKBD0Az8Ew7yqy MzQgwDm0KUFsZGVuIFBlZXRlcnMgPGFsZGVuLnBlZXRlcnNAbGVhZ3VlaC54eXo+ iJkEExYIAEECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4ACGQEWIQQOcvdJ5dTp Lx8dXyvNrWOunak0vgUCXMMqvAUJAkujhwAKCRDNrWOunak0vn92AQDmkeyYEmlx cHrnnCJAHub3aq0/M960vqYKX+mpgXuapwD+LEEdQ1LDg+hmzaNsgF+JRI/GeRE+ NpH02rJydqnPmgOIjwQTFggAOBYhBA5y90nl1OkvHx1fK82tY66dqTS+BQJcwhFN AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEM2tY66dqTS+508A+MZsy+wH LD5gzke8keuZtsQwE4181PUN2YKr0pPQcJIBALHD2DIa0Zq91NiFRUq7wc8Bogsu 8ya4cjUZPf9RcdUBtCZBbGRlbiBQZWV0ZXJzIDxhbGRlbkBvcGVuZm9ydHJlc3Mu eHl6PoiYBDAWCABAFiEEDnL3SeXU6S8fHV8rza1jrp2pNL4FAlzCEWUiHSBObyBs b25nZXIgb3duIHRoaXMgZW1haWwgYWRkcmVzcwAKCRDNrWOunak0vsBhAP9ZxNlQ q4ibb04LxQIwijK9brNge8Jqu2LInmcs0VXa9QD+JdkhYtRcFLXDyQi03uuAUa4y hTYQvgeqP9EBllNbCwSIkAQTFggAOBYhBA5y90nl1OkvHx1fK82tY66dqTS+BQJc ebA1AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEM2tY66dqTS+Rq4A/Az/ HkAVEFaIVR/E/IyfWpp30jhmior9iorrwR5zJcIXAQCqPRG7bKSv4t0M25z7MzGe z4A8ru/O/2BWGbz3DwFoDrg4BFx5sDUSCisGAQQBl1UBBQEBB0C6aNJqaSPLAVVg puuvK645awUD42NBnO863AVf23aXOgMBCAeIfgQYFggAJgIbDBYhBA5y90nl1Okv Hx1fK82tY66dqTS+BQJcwyr7BQkCS6PGAAoJEM2tY66dqTS+J24BAJQE59jBQFwH OYRCigOJJVsWWNs35TilZ1xaxs8mnDjHAQDo18Q/Uw1zBPH2Mr5LRAbQwnwoVwgU FkzJRllII58iAA== =SS9a -----END PGP PUBLIC KEY BLOCK----- ```
GiteaMirror commented 2025-11-02 05:05:40 -06:00
Author
Owner
Copy Link

@sapk commented on GitHub (Apr 28, 2019):

Looking at your public key, the old UID is still the primary UID. It would need to check what identities is returned in from this keys where we search for matching emails. e83dddbd8c/models/gpg_key.go (L276)

@sapk commented on GitHub (Apr 28, 2019): ~Looking at your public key, the old UID is still the primary UID.~ It would need to check what identities is returned in from this keys where we search for matching emails. https://github.com/go-gitea/gitea/blob/e83dddbd8cbf9fcad8c177b58aec5f889c1d928e/models/gpg_key.go#L276
GiteaMirror commented 2025-11-02 05:05:40 -06:00
Author
Owner
Copy Link

@sapk commented on GitHub (Apr 29, 2019):

I added a test to debug, and I seems to get both emails listed so it should match at least your new email. I need to look further to find the mismatch.

@sapk commented on GitHub (Apr 29, 2019): I added a test to debug, and I seems to get both emails listed so it should match at least your new email. I need to look further to find the mismatch.
GiteaMirror commented 2025-11-02 05:05:40 -06:00
Author
Owner
Copy Link

@sapk commented on GitHub (Apr 29, 2019):

Maybe we should update the lib: 2c2b8311ae (diff-e7ace1eeeac9cdf4f5fe331bf53e3fb2)

@sapk commented on GitHub (Apr 29, 2019): Maybe we should update the lib: https://github.com/keybase/go-crypto/commit/2c2b8311ae1ea6931831c30d113bc2b818d4696f#diff-e7ace1eeeac9cdf4f5fe331bf53e3fb2
GiteaMirror commented 2025-11-02 05:05:41 -06:00
Author
Owner
Copy Link

@xf- commented on GitHub (Apr 30, 2019):

I use also multiple mail addresses in my key and commit with different once (work, private...).
@sapk you only look into loading issue of primary and not to load all UIDs or?

@xf- commented on GitHub (Apr 30, 2019): I use also multiple mail addresses in my key and commit with different once (work, private...). @sapk you only look into loading issue of primary and not to load all UIDs or?
GiteaMirror commented 2025-11-02 05:05:41 -06:00
Author
Owner
Copy Link

@sapk commented on GitHub (Apr 30, 2019):

@xf- We load all identities that are linked to the key. The problem here is that an identities is revoked in the key export and the lib we use still list it as a good identities. In fact if I recall well my testing, it doesn't even match/return the revocation.

@sapk commented on GitHub (Apr 30, 2019): @xf- We load all identities that are linked to the key. The problem here is that an identities is revoked in the key export and the lib we use still list it as a good identities. In fact if I recall well my testing, it doesn't even match/return the revocation.
GiteaMirror commented 2025-11-02 05:05:41 -06:00
Author
Owner
Copy Link

@xf- commented on GitHub (Apr 30, 2019):

@sapk deleted the key and imported it again. Now it works! THX

@xf- commented on GitHub (Apr 30, 2019): @sapk deleted the key and imported it again. Now it works! THX
GiteaMirror commented 2025-11-02 05:05:41 -06:00
Author
Owner
Copy Link

@crabctrl commented on GitHub (May 5, 2019):

Is something still needed from me? (I only ask because of the label)

@crabctrl commented on GitHub (May 5, 2019): Is something still needed from me? (I only ask because of the label)
GiteaMirror commented 2025-11-02 05:05:41 -06:00
Author
Owner
Copy Link

@sapk commented on GitHub (May 5, 2019):

@atoms118 No we have enough to reproduce (added as a test in #6794), To be fixed we would need to fix it in the lib we use that seems to list the identities of the revoked uid when it shouldn't (but doesn't list revoked uid for the key listed in there tests 😕). I haven't look futhermore.

@sapk commented on GitHub (May 5, 2019): @atoms118 No we have enough to reproduce (added as a test in #6794), To be fixed we would need to fix it in the lib we use that seems to list the identities of the revoked uid when it shouldn't (but doesn't list revoked uid for the key listed in there tests :confused:). I haven't look futhermore.
GiteaMirror commented 2025-11-02 05:05:42 -06:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Jul 4, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Jul 4, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
GiteaMirror commented 2025-11-02 05:05:42 -06:00
Author
Owner
Copy Link

@sapk commented on GitHub (Jul 4, 2019):

This issue need to be kept open.

@sapk commented on GitHub (Jul 4, 2019): This issue need to be kept open.
GiteaMirror commented 2025-11-02 05:05:42 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Aug 13, 2020):

I am suspicious that this might have been resolved by #12155

@zeripath commented on GitHub (Aug 13, 2020): I am suspicious that this might have been resolved by #12155
GiteaMirror commented 2025-11-02 05:05:42 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Aug 13, 2020):

OK I'm not certain completely what's going on here.

There's likely a part of this issue which has been resolved by #12155 (which affects subkey verifcation.)

Another part is likely fixed by @techknowlogick's recent PR removing the email address reporting on a commit - (so not necessarily fixed but masked).

Now there is the question about whether we should be verifying against a revoked identity, and #12486 stops that but... I think we need to double check against what GH does for revoked IDs. There's an issue with the way GH uses git signatures here - it uses them as committer verification and therefore a signature matching a revoked email address is not necessarily incorrect.

There is a final potential issue that I can see:

When you are posting your keys are you pasting multiple keys on a single keyring? Because Gitea isn't currently set up to do - it would be possible to cope with that but it's not doing that at present.

@zeripath commented on GitHub (Aug 13, 2020): OK I'm not certain completely what's going on here. There's likely a part of this issue which has been resolved by #12155 (which affects subkey verifcation.) Another part is likely fixed by @techknowlogick's recent PR removing the email address reporting on a commit - (so not necessarily fixed but masked). Now there is the question about whether we should be verifying against a revoked identity, and #12486 stops that but... I think we need to double check against what GH does for revoked IDs. There's an issue with the way GH uses git signatures here - it uses them as committer verification and therefore a signature matching a revoked email address is not necessarily incorrect. There is a final potential issue that I can see: When you are posting your keys are you pasting multiple keys on a single keyring? Because Gitea isn't currently set up to do - it would be possible to cope with that but it's not doing that at present.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#3257
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?