GPG keys with revoked email addresses cannot be verified #917

New Issue

Closed

opened 2025-11-02 03:41:24 -06:00 by GiteaMirror · 10 comments

GiteaMirror commented 2025-11-02 03:41:24 -06:00

Owner

Copy Link

Originally created by @mxmehl on GitHub (Jul 25, 2017).

• Gitea version (or commit ref): dde0052
• Git version: 2.1.4
• Operating system: Debian 8
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

Users cannot add their GPG keys if it contains a revoked email address/UID. Gitea requires them to verify this email address although it's revoked and possible not accessible anymore.

This bug was reported by a user of git.fsfe.org. His key is 0x8018F380D795A951, and the @fastmail.fm UID is revoked.

Originally created by @mxmehl on GitHub (Jul 25, 2017). - Gitea version (or commit ref): dde0052 - Git version: 2.1.4 - Operating system: Debian 8 - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant ## Description Users cannot add their GPG keys if it contains a revoked email address/UID. Gitea requires them to verify this email address although it's revoked and possible not accessible anymore. This bug was reported by a user of git.fsfe.org. His key is [0x8018F380D795A951](http://http-keys.gnupg.net/pks/lookup?op=vindex&search=0x8018F380D795A951), and the @fastmail.fm UID is revoked.

GiteaMirror added the lgtm/need 2type/bug labels 2025-11-02 03:41:24 -06:00

GiteaMirror closed this issue 2025-11-02 03:41:24 -06:00

GiteaMirror commented 2025-11-02 03:41:25 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Jul 25, 2017):

Don't know how github handle thoses corner cases.

@sapk commented on GitHub (Jul 25, 2017): Don't know how github handle thoses corner cases.

GiteaMirror commented 2025-11-02 03:41:25 -06:00

Author

Owner

Copy Link

@mxmehl commented on GitHub (Jul 25, 2017):

Am 25.07.2017 um 14:54 schrieb Antoine GIRARD:

Don't know how github handle thoses corner cases.

AFAIK, Github doesn't even verify all email addresses which is bad from
the security perspective. I think there's another recent GPG issue here
where this has been elaborated (cannot access the issues right now).

@mxmehl commented on GitHub (Jul 25, 2017): Am 25.07.2017 um 14:54 schrieb Antoine GIRARD: > Don't know how github handle thoses corner cases. AFAIK, Github doesn't even verify all email addresses which is bad from the security perspective. I think there's another recent GPG issue here where this has been elaborated (cannot access the issues right now).

GiteaMirror commented 2025-11-02 03:41:25 -06:00

Author

Owner

Copy Link

@lafriks commented on GitHub (Jul 25, 2017):

@sapk in GPG public key there is info that this email has been revoked so they just need to be ignored

@lafriks commented on GitHub (Jul 25, 2017): @sapk in GPG public key there is info that this email has been revoked so they just need to be ignored

GiteaMirror commented 2025-11-02 03:41:25 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Jul 25, 2017):

I will try to setup a repo to view how others solutions handler thoses corners.
More generaly, GPG capabality needs to be more tested especially for corner cases. If you have more example, it would be really helpfull to write some test. I will take time to implement the fixes.

@sapk commented on GitHub (Jul 25, 2017): I will try to setup a repo to view how others solutions handler thoses corners. More generaly, GPG capabality needs to be more tested especially for corner cases. If you have more example, it would be really helpfull to write some test. I will take time to implement the fixes.

GiteaMirror commented 2025-11-02 03:41:25 -06:00

Author

Owner

Copy Link

@mxmehl commented on GitHub (Jul 28, 2017):

I don't know about many corner cases Gitea would have to take care of:

• Gitea should ignore verification of revoked email UIDs
• What does Gitea do if a GPG key expires? Does it even accept expired GPG keys?

@mxmehl commented on GitHub (Jul 28, 2017): I don't know about many corner cases Gitea would have to take care of: - Gitea should ignore verification of revoked email UIDs - What does Gitea do if a GPG key expires? Does it even accept expired GPG keys?

GiteaMirror commented 2025-11-02 03:41:26 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Jul 28, 2017):

Most of the checkup at import is done here : 1721cf474e/models/gpg_key.go (L178)

• Totally ok, this should be modify here and check Signatures
• So a expired key could be imported and the VerifySignature used to check commit sign doesn't seems to check up expiration time of key it rely on Verify method of each algo. I will need to add the checkup that the commit is in the period of validity of the key but we should keep being able to import old key for history.

@sapk commented on GitHub (Jul 28, 2017): Most of the checkup at import is done here : https://github.com/sapk-fork/gitea/blob/1721cf474e23675be714cc59593b74cb2a6c1682/models/gpg_key.go#L178 - Totally ok, this should be modify [here](https://github.com/sapk-fork/gitea/blob/1721cf474e23675be714cc59593b74cb2a6c1682/models/gpg_key.go#L213) and check [Signatures](https://godoc.org/golang.org/x/crypto/openpgp#Identity) - So a expired key could be imported and the [VerifySignature](https://godoc.org/golang.org/x/crypto/openpgp/packet#PublicKey.VerifySignature) used to check commit sign doesn't seems to check up expiration time of key it rely on [Verify](https://godoc.org/crypto/ecdsa#Verify) method of each algo. I will need to add the checkup that the commit is in the period of validity of the key but we should keep being able to import old key for history.

GiteaMirror commented 2025-11-02 03:41:26 -06:00

Author

Owner

Copy Link

@bkcsoft commented on GitHub (Aug 24, 2017):

GitLab just added GPG verification in 9.5. It only allows you to add GPG-keys which has a registered and valid email, and the GPG key has to be valid (not expired).

@bkcsoft commented on GitHub (Aug 24, 2017): GitLab just added GPG verification in 9.5. It only allows you to add GPG-keys which has a registered and valid email, and the GPG key has to be valid (not expired).

GiteaMirror commented 2025-11-02 03:41:26 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Aug 24, 2017):

The problem here is that you can have multiple email attached to one gpg key. We you could have one valid email and other not. We just need to validate commit only for valid email one.

@sapk commented on GitHub (Aug 24, 2017): The problem here is that you can have multiple email attached to one gpg key. We you could have one valid email and other not. We just need to validate commit only for valid email one.

GiteaMirror commented 2025-11-02 03:41:26 -06:00

Author

Owner

Copy Link

@mxmehl commented on GitHub (Aug 24, 2017):

We just need to validate commit only for valid email one.

That, and Gitea also has to deal with revoked email addresses (which is different from expired).

@mxmehl commented on GitHub (Aug 24, 2017): > We just need to validate commit only for valid email one. That, and Gitea also has to deal with revoked email addresses (which is different from expired).

GiteaMirror commented 2025-11-02 03:41:26 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Aug 24, 2017):

I rely on on IsActivated for using the key/email combinaison and VerifySignature of opengpg lib to validate the hash. With #2266 you should be able to add a gpg key a revoked email (just need at least another one valid) and only the valid email could be sign.

I added integration test in PR but not for revoked key. I add later in another PR to don't have regression but this should work.

@sapk commented on GitHub (Aug 24, 2017): I rely on on IsActivated for using the key/email combinaison and VerifySignature of opengpg lib to validate the hash. With #2266 you should be able to add a gpg key a revoked email (just need at least another one valid) and only the valid email could be sign. I added integration test in PR but not for revoked key. I add later in another PR to don't have regression but this should work.

GiteaMirror referenced this issue 2025-11-02 11:51:32 -06:00

[PR #917] [MERGED] feat: support search bar on star tab of user profile. #15651

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label lgtm/need 2 type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#917