No PGP signature on 1.9.1 tag/release #3789

Closed
opened 2025-11-02 05:25:14 -06:00 by GiteaMirror · 19 comments
Owner

Originally created by @ArchangeGabriel on GitHub (Aug 15, 2019).

Everything is in the title, in contrary to all previous versions since I started packaging Gitea for ArchLinux, this is the first one where the tag/release is not PGP signed. Is it expected? Can you fix that? Thanks.

Originally created by @ArchangeGabriel on GitHub (Aug 15, 2019). Everything is in the title, in contrary to all previous versions since I started packaging Gitea for ArchLinux, this is the first one where the tag/release is not PGP signed. Is it expected? Can you fix that? Thanks.
GiteaMirror added the type/question label 2025-11-02 05:25:14 -06:00
Author
Owner

@sapk commented on GitHub (Aug 15, 2019):

I think it just that it is an other @go-gitea/owners that make this tag and he doesn't use gpg generally. I don't think we enforce gpg on tag. It was just the the owners that previously done the tags use it.

@sapk commented on GitHub (Aug 15, 2019): I think it just that it is an other @go-gitea/owners that make this tag and he doesn't use gpg generally. I don't think we enforce gpg on tag. It was just the the owners that previously done the tags use it.
Author
Owner

@sapk commented on GitHub (Aug 15, 2019):

The binary is still signed.

@sapk commented on GitHub (Aug 15, 2019): The binary is still signed.
Author
Owner

@sapk commented on GitHub (Aug 15, 2019):

For insight, on discord maintainer channel I suggest to let as it is instead of re-tagging 1.9.1 and plan to release 1.9.2 soon as they are already fixes after 1.9.1.

@sapk commented on GitHub (Aug 15, 2019): For insight, on discord maintainer channel I suggest to let as it is instead of re-tagging 1.9.1 and plan to release 1.9.2 soon as they are already fixes after 1.9.1.
Author
Owner

@lunny commented on GitHub (Aug 15, 2019):

@sapk I always use gpg when I commit but missed tag. :(
@ArchangeGabriel Sorry for that and except the tag PGP signature, all binaries have signatures.

@lunny commented on GitHub (Aug 15, 2019): @sapk I always use gpg when I commit but missed tag. :( @ArchangeGabriel Sorry for that and except the tag PGP signature, all binaries have signatures.
Author
Owner

@ArchangeGabriel commented on GitHub (Aug 15, 2019):

Of course, but we don’t package from binaries, we always build from sources. ;)

I’m not in favour of re-tagging either actually, because this is generally a bad practice (though some of the common issues with that would not apply here, since the same commit would be tagged).

I’ll disable signature checking for this one specific update, but would appreciate if you release process actually includes enforcing signing the tag in the future. ;) Since you already do for all binaries artifacts, this should not be a big deal. :)

@ArchangeGabriel commented on GitHub (Aug 15, 2019): Of course, but we don’t package from binaries, we always build from sources. ;) I’m not in favour of re-tagging either actually, because this is generally a bad practice (though some of the common issues with that would not apply here, since the same commit would be tagged). I’ll disable signature checking for this one specific update, but would appreciate if you release process actually includes enforcing signing the tag in the future. ;) Since you already do for all binaries artifacts, this should not be a big deal. :)
Author
Owner

@anthraxx commented on GitHub (Aug 15, 2019):

Just a tiny hint, but one could also upload detatched signatures for the github source tarballs. This could even be done without re-tagging anything 😸

@anthraxx commented on GitHub (Aug 15, 2019): Just a tiny hint, but one could also upload detatched signatures for the github source tarballs. This could even be done without re-tagging anything :smile_cat:
Author
Owner

@sapk commented on GitHub (Aug 15, 2019):

Maybe we should add this issue to milestone 1.9.2 so that we indicate it in changelog as kind of fix from previous release and close it when 1.9.2 is release.

@sapk commented on GitHub (Aug 15, 2019): Maybe we should add this issue to milestone 1.9.2 so that we indicate it in changelog as kind of fix from previous release and close it when 1.9.2 is release.
Author
Owner

@techknowlogick commented on GitHub (Aug 22, 2019):

Closed as new tag released and it is signed.

@techknowlogick commented on GitHub (Aug 22, 2019): Closed as new tag released and it is signed.
Author
Owner

@ArchangeGabriel commented on GitHub (Aug 25, 2019):

@lunny I can’t find your public key anywhere, and https://github.com/lunny.gpg is broken. Can you upload it to a keyserver?

@ArchangeGabriel commented on GitHub (Aug 25, 2019): @lunny I can’t find your public key anywhere, and https://github.com/lunny.gpg is broken. Can you upload it to a keyserver?
Author
Owner

@sapk commented on GitHub (Aug 25, 2019):

The public key should be accessible here : https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2

@sapk commented on GitHub (Aug 25, 2019): The public key should be accessible here : https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2
Author
Owner

@ArchangeGabriel commented on GitHub (Aug 25, 2019):

@sapk That’s not @lunny key.

@ArchangeGabriel commented on GitHub (Aug 25, 2019): @sapk That’s not @lunny key.
Author
Owner

@sapk commented on GitHub (Aug 25, 2019):

Sorry I read to quickly.

@sapk commented on GitHub (Aug 25, 2019): Sorry I read to quickly.
Author
Owner

@lunny commented on GitHub (Aug 25, 2019):

@ArchangeGabriel It's strange https://github.com/lunny.gpg return:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Note: The keys with the following IDs couldn't be exported and need to be reuploaded C3B7C91B632F738A


=twTO
-----END PGP PUBLIC KEY BLOCK-----

@sapk The tag is not signed by giteabot, but publishers. I tagged v1.9.2 and it displayed well.

image

@ArchangeGabriel maybe it's github's problem?

@lunny commented on GitHub (Aug 25, 2019): @ArchangeGabriel It's strange https://github.com/lunny.gpg return: ``` -----BEGIN PGP PUBLIC KEY BLOCK----- Note: The keys with the following IDs couldn't be exported and need to be reuploaded C3B7C91B632F738A =twTO -----END PGP PUBLIC KEY BLOCK----- ``` @sapk The tag is not signed by giteabot, but publishers. I tagged v1.9.2 and it displayed well. ![image](https://user-images.githubusercontent.com/81045/63652870-ef486900-c797-11e9-9006-5fb9a4bff819.png) @ArchangeGabriel maybe it's github's problem?
Author
Owner

@ArchangeGabriel commented on GitHub (Aug 31, 2019):

Yes, GitHub is able to verify your signature but not to verify it. That is likely a bug on their side, but they are other places where you could upload your public key. :) Starting by this actual thread. ;)

@ArchangeGabriel commented on GitHub (Aug 31, 2019): Yes, GitHub is able to verify your signature but not to verify it. That is likely a bug on their side, but they are other places where you could upload your public key. :) Starting by this actual thread. ;)
Author
Owner

@ArchangeGabriel commented on GitHub (Jan 3, 2020):

@lunny I still can’t found your key anywhere. Can you upload your public key somewhere accessible please? :)

@ArchangeGabriel commented on GitHub (Jan 3, 2020): @lunny I still can’t found your key anywhere. Can you upload your _public_ key somewhere accessible please? :)
Author
Owner

@ArchangeGabriel commented on GitHub (Jan 3, 2020):

(Or just reupload it on GitHub as instructed by https://github.com/lunny.gpg)

@ArchangeGabriel commented on GitHub (Jan 3, 2020): (Or just reupload it on GitHub as instructed by https://github.com/lunny.gpg)
Author
Owner

@lunny commented on GitHub (Jan 3, 2020):

Let me try.

@lunny commented on GitHub (Jan 3, 2020): Let me try.
Author
Owner

@lunny commented on GitHub (Jan 3, 2020):

@ArchangeGabriel After I readded the same gpg public key, it's now OK.

@lunny commented on GitHub (Jan 3, 2020): @ArchangeGabriel After I readded the same gpg public key, it's now OK.
Author
Owner

@ArchangeGabriel commented on GitHub (Jan 3, 2020):

@lunny Thanks, perfect. :)

@ArchangeGabriel commented on GitHub (Jan 3, 2020): @lunny Thanks, perfect. :)
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#3789