WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS. #16344
Comments
|
But I can confirm with 1.14.3, that commits correctly signed are marked as invalid signed occasionally. |
|
Yes. I added the key to my Gitea account. Next time I make an commit, I'll try to catch the logs.
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Norwin ***@***.***>
Sent: Saturday, July 10, 2021 11:02:46 AM
To: go-gitea/gitea ***@***.***>
Cc: Lukas Eßmann ***@***.***>; Mention ***@***.***>
Subject: Re: [go-gitea/gitea] WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS. (#16344)
Did you add that GPG key to your Gitea account?
But I can confirm with 1.14.3, that commits correctly signed are marked as invalid signed occasionally.
The key is added to the account, locally the commit signature is still valid.
I didn't catch the logs the last time this happened, but will do in the future.
@TheBinaryLoop<https://github.com/TheBinaryLoop> do you still have logs from when this happened?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#16344 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ADGS77FSVM7JRRBGZKMGBCDTXAEDNANCNFSM473NIIYA>.
|
|
@TheBinaryLoop I"m seeing the same issue here. I haven't managed to capture any logs though. Have you? |
|
@techknowlogick Appreicate you closing my issue so promptly, but I'd like to help resolve this. I'm a bit puzzled myself 🤣 |
|
@prologic No. Do I need to enable some flag or something? I just get the default log. I can try and capture the log while I push a commit. Or do I need to capture the log at some other point? |
What's not clear to ms is whether the Gitea backend needs to be setup with debug logging or not? I would have thought if something bad happened you'd get a warning or error level log entry, but I can't seem to find one. |
|
@prologic That's my problem as well |
|
@techknowlogick We could really use some help here, as I'm unfamiliar with the project's codebase it's hard for me to work out why this is happening to us. |
|
I'm not sure if more verbose logging is needed for this, but I'd enable it just in case: edit: Looking at the failing code section, I'm wondering if the key you used for those "bad" commits is a subkey? |
|
I just reconfigured my instance with debug logging turned on, did a commit to one of my private repos and pushed. This is what I got: |
|
There is no mention of any problems with my GPG key. And this is what |
|
Hm, looks like logging is not especially verbose in that section of code. :/ @prologic This occurs for every commit you sign right? For me this just happened occasionally, seemlingly random.
|
Yes.
No.
Does it matter that the email associated with that key is not marked as my primary email in Gitea? |
|
Did you add the key before activating the email address? We might have a inconsistent DB here.
No, not to my knowledge |
Hahaha yes! I did indeed! It took awhile for me to "confirm" my secondary email as I hadn't setup email properly. Although it accepts the first email without verification for some reason :D Can I just delete the GPG key and re-add it? Will that resolve this? If so, I claim this as a bug ;) A race! |
|
Bingo! |
|
I fixed my database 🤣
Not something I'd recommend anyone do unless you really know your SQL and know what you're doing 😂 |
|
Nice. Readding the key would also have worked. |
|
Once we finally have #14054 the key will show which addresses it validates for. As an addtion we should probably also store all the email addresses that a key could validate even if they're not currently activated and just check that they're activated at the time of validation. |
Yeah you need some kind of background job here to periodically check this, or a trigger off of validating en email. Doing this around the wrong way (unintentional stupid user) ends up in this weird situation that was rather hard to debug because of the obscure error 😄 |
Yes. I manually updated the db via sql and now it shows correctly in the ui. Thanks guys 😄 |
|
@zeripath Why did you close this? This is not fixed. This is a bug in the code at best, at worst lacking documentation. Please reopen and let's get some code in to fix this. Thanks! 🙇♂️ |
|
Have you looked at 1.15 since #14054 has been merged? The addresses that the key will validate for are now displayed and you can verify the key to make it work for any activated email address. There's a smaller issue about storing all the addresses that a key could verify for - but actually just reimporting the key now it shows what it verifies is probably going to solve that. |
Ahh! You could have said so with a comment and then closed :) All good! THanks! |
[x]):I don't know how logs would help with this issue but if its necessary i will provide logs.
Description
I added my gpg key and signed a commit with it. Localy i can verify the commit with git verify-commit HEAD but in the webinterface it shows as "WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.".
Screenshots
The text was updated successfully, but these errors were encountered: