Commits which include encoding header fail to verify when otherwise valid
#30119
Comments
|
Fixed in #30174 |
KN4CK3R
added a commit
that referenced
this issue
Mar 29, 2024
Fixes #30119 Include the encoding in the signature payload. before  after 
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this issue
Mar 29, 2024
Fixes go-gitea#30119 Include the encoding in the signature payload. before  after 
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this issue
Mar 29, 2024
Fixes go-gitea#30119 Include the encoding in the signature payload. before  after 
silverwind
pushed a commit
that referenced
this issue
Mar 29, 2024
Backport #30174 by @KN4CK3R Fixes #30119 Include the encoding in the signature payload. before  after  Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
lunny
pushed a commit
that referenced
this issue
Apr 1, 2024
Backport #30174 by @KN4CK3R Fixes #30119 Include the encoding in the signature payload. before  after  --------- Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Hello! I'm an engineer on the Nova project, an IDE for the Mac. As a tiny bit of context that becomes important later, we use libgit2 for our Git integration.
We received a report that a user who utilizes SSH keys for commit signing was seeing those made in Nova as invalid in Gitea. After some diagnosis, we found that the Git CLI was showing them as valid, but not once pushed to Gitea. We were then able to replicate this same behavior in our testing instance of Gitea 1.21.8.
After looking deeper, it seems that the only difference between commits made with the Git CLI and Nova is that those from Nova/libgit2 include an
encodingheader in the commit object, set toUTF-8. As far as I've been able to determine, this is the default value from Git's spec, and presumably the Git CLI just never includes it for succinctness. libgit2, however, is including it always.If we disable inclusion of that header, Gitea will validate the commits just fine, the same as those from the Git CLI.
I am not versed in Go code at all (so please forgive me!) but I think I've traced the issue to somewhere around this chunk of code. I'm guessing that either it's not considering any header name which it doesn't already handle (and thus is dropping them from the payload that is used for validation) or something similar.
If I've glossed over anything important, just let me know, and thank you to the maintainers for your time!
Gitea Version
1.21.8
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
Git Version
2.44.0
Operating System
Linux / Ubuntu in Docker
How are you running Gitea?
We are running the self-installable Gitea instance running in Docker for testing purposes. I am not sure what our reporting user's instance was running in, or whether it was a self-instance or a Cloud / Enterprise instance. If you need, I can have our support team reach out and ask.
Database
SQLite
The text was updated successfully, but these errors were encountered: