ArgoCD complains about revision being unsigned when using a tag

[jzaayman]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

If I run kubectl apply using a signed commit and a targetRevision of, e.g. main, it deploys fine. But when I use a targetRevision pointing to a tag (signed or unsigned), I get a 'Target revision in Git is not signed' error. My repo is https://github.com/jjohnson-ah/jjohnson-argocd-tags.

To Reproduce

Generate a GPG key and verify with GitHub. Add the GPG key to ArgoCD and your project in ArgoCD. Create a repo and sign the commit. Deploy and you'll see the deployment is fine. Now create a tag (signed or unsigned) and change targetRevision to the tag. The deployment fails.

Expected behavior

I expect ArgoCD to be satisfied with the signed tag.

Screenshots

Here is the output of pointing to branch main (signed).

Here is the output of pointing to tag ah-tst (signed).

Version

argocd: v2.1.2+7af9dfb.dirty
  BuildDate: 2021-09-02T21:28:55Z
  GitCommit: 7af9dfb3524c13e941ab604e36e49a617fe47d2e
  GitTreeState: dirty
  GoVersion: go1.17
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.1.2+7af9dfb
  BuildDate: 2021-09-02T18:05:23Z
  GitCommit: 7af9dfb3524c13e941ab604e36e49a617fe47d2e
  GitTreeState: clean
  GoVersion: go1.16.5
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v4.2.0 2021-06-30T22:49:26Z
  Helm Version: v3.6.0+g7f2df64
  Kubectl Version: v0.21.0
  Jsonnet Version: v0.17.0

[pasha-codefresh]

hi @jjohnson-ah, Thank you for report an issue. I just checked it and it is working fine in case if the tag is signed. The problem appears if the tag is not signed.

[NikolayMetchev]

We seem to be hitting the same issue even with a signed git tag!

[btrepp]

I believe I am getting this on a branch :)

Status:
  Conditions:
    Last Transition Time:  2022-05-21T07:28:14Z
    Message:               Target revision host in Git is not signed, but a signature is required
    Type:                  ComparisonError
    Last Transition Time:  2022-05-21T07:33:27Z
    Message:               Failed sync attempt to fced4a993eb9f4ae9e9b84717656fab06955b1fa: ComparisonError: Target revision fced4a993eb9f4ae9e9b84717656fab06955b1fa in Git is not signed, but a signature is required (retried 5 times).
    Type:                  SyncError
  Health:
    Status:  Missing

commit fced4a993eb9f4ae9e9b84717656fab06955b1fa (HEAD -> host, origin/host)
gpg: Signature made Sat 26 Mar 2022 17:39:08 AWST
gpg:                using RSA key BF3151F1017B97B86F793B3974E2941721893809
gpg: Good signature from "builds.sr.ht" [full]
Author: builds.sr.ht <builds@sr.ht>
Date:   Sat Mar 26 09:39:08 2022 +0000

    Updated to sha256:987868bb7eec174fb20e893dd525ff493c12fa9e7cb948202ccfcf663959d7ea

At the moment the signing commit (rather than tag) only works for me for HEAD
also seems to occur when trying refs/head/host as the targetRevision

[jannfis]

I just reproduced the issue with a signed tag, however, I couldn't reproduce with a branch.

Gonna dig into this issue.

[jannfis]

Just as a heads-up that I finally came around to dig into this issue, and have a fix for it with #12797