mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-17 15:14:17 -05:00
No PGP signature on 1.9.1 tag/release #3789
Closed
opened 2025-11-02 05:25:14 -06:00 by GiteaMirror
·
19 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
No Label
type/question
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#3789
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ArchangeGabriel on GitHub (Aug 15, 2019).
Everything is in the title, in contrary to all previous versions since I started packaging Gitea for ArchLinux, this is the first one where the tag/release is not PGP signed. Is it expected? Can you fix that? Thanks.
@sapk commented on GitHub (Aug 15, 2019):
I think it just that it is an other @go-gitea/owners that make this tag and he doesn't use gpg generally. I don't think we enforce gpg on tag. It was just the the owners that previously done the tags use it.
@sapk commented on GitHub (Aug 15, 2019):
The binary is still signed.
@sapk commented on GitHub (Aug 15, 2019):
For insight, on discord maintainer channel I suggest to let as it is instead of re-tagging 1.9.1 and plan to release 1.9.2 soon as they are already fixes after 1.9.1.
@lunny commented on GitHub (Aug 15, 2019):
@sapk I always use gpg when I commit but missed tag. :(
@ArchangeGabriel Sorry for that and except the tag PGP signature, all binaries have signatures.
@ArchangeGabriel commented on GitHub (Aug 15, 2019):
Of course, but we don’t package from binaries, we always build from sources. ;)
I’m not in favour of re-tagging either actually, because this is generally a bad practice (though some of the common issues with that would not apply here, since the same commit would be tagged).
I’ll disable signature checking for this one specific update, but would appreciate if you release process actually includes enforcing signing the tag in the future. ;) Since you already do for all binaries artifacts, this should not be a big deal. :)
@anthraxx commented on GitHub (Aug 15, 2019):
Just a tiny hint, but one could also upload detatched signatures for the github source tarballs. This could even be done without re-tagging anything 😸
@sapk commented on GitHub (Aug 15, 2019):
Maybe we should add this issue to milestone 1.9.2 so that we indicate it in changelog as kind of fix from previous release and close it when 1.9.2 is release.
@techknowlogick commented on GitHub (Aug 22, 2019):
Closed as new tag released and it is signed.
@ArchangeGabriel commented on GitHub (Aug 25, 2019):
@lunny I can’t find your public key anywhere, and https://github.com/lunny.gpg is broken. Can you upload it to a keyserver?
@sapk commented on GitHub (Aug 25, 2019):
The public key should be accessible here : https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2
@ArchangeGabriel commented on GitHub (Aug 25, 2019):
@sapk That’s not @lunny key.
@sapk commented on GitHub (Aug 25, 2019):
Sorry I read to quickly.
@lunny commented on GitHub (Aug 25, 2019):
@ArchangeGabriel It's strange https://github.com/lunny.gpg return:
@sapk The tag is not signed by giteabot, but publishers. I tagged v1.9.2 and it displayed well.
@ArchangeGabriel maybe it's github's problem?
@ArchangeGabriel commented on GitHub (Aug 31, 2019):
Yes, GitHub is able to verify your signature but not to verify it. That is likely a bug on their side, but they are other places where you could upload your public key. :) Starting by this actual thread. ;)
@ArchangeGabriel commented on GitHub (Jan 3, 2020):
@lunny I still can’t found your key anywhere. Can you upload your public key somewhere accessible please? :)
@ArchangeGabriel commented on GitHub (Jan 3, 2020):
(Or just reupload it on GitHub as instructed by https://github.com/lunny.gpg)
@lunny commented on GitHub (Jan 3, 2020):
Let me try.
@lunny commented on GitHub (Jan 3, 2020):
@ArchangeGabriel After I readded the same gpg public key, it's now OK.
@ArchangeGabriel commented on GitHub (Jan 3, 2020):
@lunny Thanks, perfect. :)