github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-16 21:23:02 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

GPGkeys: subkeys are not imported/used #5682

New Issue
Closed
opened 2025-11-02 06:32:57 -06:00 by GiteaMirror · 16 comments
GiteaMirror commented 2025-11-02 06:32:57 -06:00
Owner
Copy Link

Originally created by @Torstein-Eide on GitHub (Jul 3, 2020).

Description

If you add subkey to a master GPG keyring, the subkey is not picked up by Gitea, this give error "WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS."

To comparison Github correctly sees all keys.

gpg --list-secret-keys --keyid-format LONG
/home/torstein/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/44196C77FBD6EF95 2020-07-02 [SC] [utgår: 2025-07-01]
      DD88FD4E5E767E7BF8414CF444196C77FBD6EF95
uid                [  fullst.] Torstein Eide (github) <1884894+Eideen@users.noreply.github.com>
uid                [  fullst.] alt <work mail>
uid                [  fullst.] alt3 <...@gmail.com>
ssb   rsa4096/29351BDD6590C2C3 2020-07-02 [E] [utgår: 2025-07-01]
ssb   rsa4096/2A457BC93D9A1F44 2020-07-03 [S]
ssb   rsa4096/AF31EBDABBF1C86B 2020-07-03 [E]
Originally created by @Torstein-Eide on GitHub (Jul 3, 2020). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.13.0 - Git version: 2.25.1 - Operating system: Ubuntu 20.04 - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes - https://try.gitea.io/torsteintest/test/commit/dcfd271a2e0e9740cd562cf238421f8f63847025 - https://github.com/Eideen/test1/commits/master - [ ] No - [ ] Not relevant - Log gist: ## Description If you add subkey to a master GPG keyring, the subkey is not picked up by Gitea, this give error "WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS." To comparison Github correctly sees all keys. ````shell gpg --list-secret-keys --keyid-format LONG /home/torstein/.gnupg/pubring.kbx --------------------------------- sec rsa4096/44196C77FBD6EF95 2020-07-02 [SC] [utgår: 2025-07-01] DD88FD4E5E767E7BF8414CF444196C77FBD6EF95 uid [ fullst.] Torstein Eide (github) <1884894+Eideen@users.noreply.github.com> uid [ fullst.] alt <work mail> uid [ fullst.] alt3 <...@gmail.com> ssb rsa4096/29351BDD6590C2C3 2020-07-02 [E] [utgår: 2025-07-01] ssb rsa4096/2A457BC93D9A1F44 2020-07-03 [S] ssb rsa4096/AF31EBDABBF1C86B 2020-07-03 [E] ```` <!-- **If this issue involves the Web Interface, please include a screenshot** -->
GiteaMirror added the type/bug label 2025-11-02 06:32:57 -06:00
GiteaMirror commented 2025-11-02 06:32:58 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 4, 2020):

Hmm I was sure I'd fixed this recently...

When did you add that key to the database?

I'll take another look though

@zeripath commented on GitHub (Jul 4, 2020): Hmm I was sure I'd fixed this recently... When did you add that key to the database? I'll take another look though
GiteaMirror commented 2025-11-02 06:32:58 -06:00
Author
Owner
Copy Link

@Torstein-Eide commented on GitHub (Jul 5, 2020):

I test adding the before and after adding doing the commit.

@Torstein-Eide commented on GitHub (Jul 5, 2020): I test adding the before and after adding doing the commit.
GiteaMirror commented 2025-11-02 06:32:58 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

Interesting when I add this key on my local testing service this works.

@zeripath commented on GitHub (Jul 5, 2020): Interesting when I add this key on my local testing service this works.
GiteaMirror commented 2025-11-02 06:32:58 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

That is the key obtained from https://github.com/Eideen.gpg

@zeripath commented on GitHub (Jul 5, 2020): That is the key obtained from https://github.com/Eideen.gpg
GiteaMirror commented 2025-11-02 06:32:59 -06:00
Author
Owner
Copy Link

@Torstein-Eide commented on GitHub (Jul 5, 2020):

Interesting when I add this key on my local testing service this works.

I have test now with master, and 12.1 on my local service, and i get the same result. where is maked as SUSPICIOUS.

Is there any other settings related PGP?

That is the key obtained from https://github.com/Eideen.gpg

that key is correct.

@Torstein-Eide commented on GitHub (Jul 5, 2020): > Interesting when I add this key on my local testing service this works. I have test now with master, and 12.1 on my local service, and i get the same result. where is maked as SUSPICIOUS. Is there any other settings related PGP? > That is the key obtained from https://github.com/Eideen.gpg that key is correct.
GiteaMirror commented 2025-11-02 06:32:59 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

Have you set the email address as per the key?

@zeripath commented on GitHub (Jul 5, 2020): Have you set the email address as per the key?
GiteaMirror commented 2025-11-02 06:32:59 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

The user has to have the email address of at least one of the key's email addresses listed as theirs.

@zeripath commented on GitHub (Jul 5, 2020): The user has to have the email address of at least one of the key's email addresses listed as theirs.
GiteaMirror commented 2025-11-02 06:32:59 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

In that given that that key only has "1884894+eideen@users.noreply.github.com" as an email address you must add that as at least a secondary email address to the user.

@zeripath commented on GitHub (Jul 5, 2020): In that given that that key only has "1884894+eideen@users.noreply.github.com" as an email address you must add that as at least a secondary email address to the user.
GiteaMirror commented 2025-11-02 06:32:59 -06:00
Author
Owner
Copy Link

@Torstein-Eide commented on GitHub (Jul 5, 2020):

I test it again with a new key and only using one email.

I work if the main key.

/home/torstein/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/51BB0AFBAA3C45CC 2020-07-05 [SC]
      E19FF5319D2076A7792BCC4751BB0AFBAA3C45CC
uid                [  fullst.] Torstein Eide <...@gmail.com>
ssb   rsa4096/07869FDB3DB88711 2020-07-05 [E]

but when i add a new ssb key it gives error

/home/torstein/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096/51BB0AFBAA3C45CC 2020-07-05 [SC]
      E19FF5319D2076A7792BCC4751BB0AFBAA3C45CC
uid                [  fullst.] Torstein Eide <...@gmail.com>
ssb   rsa4096/07869FDB3DB88711 2020-07-05 [E]
ssb   rsa4096/1CF209566DC957DE 2020-07-05 [S] [utgår: 2071-01-08]
@Torstein-Eide commented on GitHub (Jul 5, 2020): I test it again with a new key and only using one email. I work if the main key. ````bash /home/torstein/.gnupg/pubring.kbx --------------------------------- sec rsa4096/51BB0AFBAA3C45CC 2020-07-05 [SC] E19FF5319D2076A7792BCC4751BB0AFBAA3C45CC uid [ fullst.] Torstein Eide <...@gmail.com> ssb rsa4096/07869FDB3DB88711 2020-07-05 [E] ```` but when i add a new ssb key it gives error ````bash /home/torstein/.gnupg/pubring.kbx --------------------------------- sec rsa4096/51BB0AFBAA3C45CC 2020-07-05 [SC] E19FF5319D2076A7792BCC4751BB0AFBAA3C45CC uid [ fullst.] Torstein Eide <...@gmail.com> ssb rsa4096/07869FDB3DB88711 2020-07-05 [E] ssb rsa4096/1CF209566DC957DE 2020-07-05 [S] [utgår: 2071-01-08] ````
GiteaMirror commented 2025-11-02 06:33:00 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

An example would be useful - if only so I can test this.

@zeripath commented on GitHub (Jul 5, 2020): An example would be useful - if only so I can test this.
GiteaMirror commented 2025-11-02 06:33:00 -06:00
Author
Owner
Copy Link

@Torstein-Eide commented on GitHub (Jul 5, 2020):

An example would be useful - if only so I can test this.

https://try.gitea.io/torsteintest/test2/commits/branch/master

@Torstein-Eide commented on GitHub (Jul 5, 2020): > An example would be useful - if only so I can test this. https://try.gitea.io/torsteintest/test2/commits/branch/master
GiteaMirror commented 2025-11-02 06:33:00 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

Screenshot from 2020-07-05 19-00-22
Screenshot from 2020-07-05 19-01-08

@zeripath commented on GitHub (Jul 5, 2020): ![Screenshot from 2020-07-05 19-00-22](https://user-images.githubusercontent.com/1824502/86539069-d2211280-bef1-11ea-9a5c-9d477d53d2f0.png) ![Screenshot from 2020-07-05 19-01-08](https://user-images.githubusercontent.com/1824502/86539093-e9f89680-bef1-11ea-81e9-a0588c609a20.png)
GiteaMirror commented 2025-11-02 06:33:00 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

The key attached to https://try.gitea.io/torsteintest.gpg still has the 1884894+eideen@users.noreply.github.com email address

@zeripath commented on GitHub (Jul 5, 2020): The key attached to https://try.gitea.io/torsteintest.gpg still has the 1884894+eideen@users.noreply.github.com email address
GiteaMirror commented 2025-11-02 06:33:00 -06:00
Author
Owner
Copy Link

@Torstein-Eide commented on GitHub (Jul 5, 2020):

public key for second test

https://pastebin.com/uQa9jsH4

@Torstein-Eide commented on GitHub (Jul 5, 2020): public key for second test https://pastebin.com/uQa9jsH4
GiteaMirror commented 2025-11-02 06:33:01 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

OK I've replicated - Thanks for bearing with this.

@zeripath commented on GitHub (Jul 5, 2020): OK I've replicated - Thanks for bearing with this.
GiteaMirror commented 2025-11-02 06:33:01 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jul 5, 2020):

Figured it out - the problem is that the email checking is attached to the primary key not the subkey.

@zeripath commented on GitHub (Jul 5, 2020): Figured it out - the problem is that the email checking is attached to the primary key not the subkey.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#5682
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?