Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No PGP signature on 1.9.1 tag/release #7874

Closed
ArchangeGabriel opened this issue Aug 15, 2019 · 14 comments

Comments

@ArchangeGabriel
Copy link

commented Aug 15, 2019

Everything is in the title, in contrary to all previous versions since I started packaging Gitea for ArchLinux, this is the first one where the tag/release is not PGP signed. Is it expected? Can you fix that? Thanks.

@sapk

This comment has been minimized.

Copy link
Member

commented Aug 15, 2019

I think it just that it is an other @go-gitea/owners that make this tag and he doesn't use gpg generally. I don't think we enforce gpg on tag. It was just the the owners that previously done the tags use it.

@sapk

This comment has been minimized.

Copy link
Member

commented Aug 15, 2019

The binary is still signed.

@lunny lunny added the kind/question label Aug 15, 2019

@sapk

This comment has been minimized.

Copy link
Member

commented Aug 15, 2019

For insight, on discord maintainer channel I suggest to let as it is instead of re-tagging 1.9.1 and plan to release 1.9.2 soon as they are already fixes after 1.9.1.

@lunny

This comment has been minimized.

Copy link
Member

commented Aug 15, 2019

@sapk I always use gpg when I commit but missed tag. :(
@ArchangeGabriel Sorry for that and except the tag PGP signature, all binaries have signatures.

@ArchangeGabriel

This comment has been minimized.

Copy link
Author

commented Aug 15, 2019

Of course, but we don’t package from binaries, we always build from sources. ;)

I’m not in favour of re-tagging either actually, because this is generally a bad practice (though some of the common issues with that would not apply here, since the same commit would be tagged).

I’ll disable signature checking for this one specific update, but would appreciate if you release process actually includes enforcing signing the tag in the future. ;) Since you already do for all binaries artifacts, this should not be a big deal. :)

@anthraxx

This comment has been minimized.

Copy link

commented Aug 15, 2019

Just a tiny hint, but one could also upload detatched signatures for the github source tarballs. This could even be done without re-tagging anything 😸

@sapk

This comment has been minimized.

Copy link
Member

commented Aug 15, 2019

Maybe we should add this issue to milestone 1.9.2 so that we indicate it in changelog as kind of fix from previous release and close it when 1.9.2 is release.

@lunny lunny added this to the 1.9.2 milestone Aug 15, 2019

@techknowlogick

This comment has been minimized.

Copy link
Member

commented Aug 22, 2019

Closed as new tag released and it is signed.

aswild added a commit to aswild/gitea that referenced this issue Aug 25, 2019
Merge tag 'v1.9.2' into wild/v1.9
* BUGFIXES
  * Fix wrong sender when send slack webhook (go-gitea#7918) (go-gitea#7924)
  * Upload support text/plain; charset=utf8 (go-gitea#7899)
  * Lfs/lock: round locked_at timestamp to second (go-gitea#7872) (go-gitea#7875)
  * Fix non existent milestone with 500 error (go-gitea#7867) (go-gitea#7873)
* SECURITY
  * Fix No PGP signature on 1.9.1 tag (go-gitea#7874)
  * Release built with go 1.12.9 to fix security fixes in golang std lib, ref: https://groups.google.com/forum/#!msg/golang-announce/oeMaeUnkvVE/a49yvTLqAAAJ
* ENHANCEMENT
  * Fix pull creation with empty changes (go-gitea#7920) (go-gitea#7926)
* BUILD
  * Drone/docker: prepare multi-arch release + provide arm64 image (go-gitea#7571) (go-gitea#7884)
@ArchangeGabriel

This comment has been minimized.

Copy link
Author

commented Aug 25, 2019

@lunny I can’t find your public key anywhere, and https://github.com/lunny.gpg is broken. Can you upload it to a keyserver?

@sapk

This comment has been minimized.

Copy link
Member

commented Aug 25, 2019

@ArchangeGabriel

This comment has been minimized.

Copy link
Author

commented Aug 25, 2019

@sapk That’s not @lunny key.

@sapk

This comment has been minimized.

Copy link
Member

commented Aug 25, 2019

Sorry I read to quickly.

@lunny

This comment has been minimized.

Copy link
Member

commented Aug 25, 2019

@ArchangeGabriel It's strange https://github.com/lunny.gpg return:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Note: The keys with the following IDs couldn't be exported and need to be reuploaded C3B7C91B632F738A


=twTO
-----END PGP PUBLIC KEY BLOCK-----

@sapk The tag is not signed by giteabot, but publishers. I tagged v1.9.2 and it displayed well.

image

@ArchangeGabriel maybe it's github's problem?

@ArchangeGabriel

This comment has been minimized.

Copy link
Author

commented Aug 31, 2019

Yes, GitHub is able to verify your signature but not to verify it. That is likely a bug on their side, but they are other places where you could upload your public key. :) Starting by this actual thread. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
5 participants
You can’t perform that action at this time.