Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keys should not verify revoked email addresses #12486

Merged
merged 2 commits into from
Aug 16, 2020
Merged

Keys should not verify revoked email addresses #12486

merged 2 commits into from
Aug 16, 2020

Conversation

zeripath
Copy link
Contributor

When adding gpg keys, if the identity has been revoked do not match it with email addresses.

Fix #6778

Signed-off-by: Andrew Thornton [email protected]

@zeripath zeripath added this to the 1.13.0 milestone Aug 13, 2020
@zeripath zeripath mentioned this pull request Aug 13, 2020
Closed
7 tasks
@codecov-commenter
Copy link

codecov-commenter commented Aug 13, 2020
edited
Loading

Codecov Report

Merging #12486 into master will increase coverage by 0.01%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #12486      +/-   ##
==========================================
+ Coverage   43.73%   43.75%   +0.01%     
==========================================
  Files         631      631              
  Lines       69871    69873       +2     
==========================================
+ Hits        30560    30570      +10     
+ Misses      34352    34348       -4     
+ Partials     4959     4955       -4
Impacted Files Coverage Δ
models/gpg_key.go 54.58% <0.00%> (-0.22%) ⬇️
models/unit.go 45.07% <0.00%> (-2.82%) ⬇️
services/pull/pull.go 42.03% <0.00%> (+0.46%) ⬆️
modules/log/event.go 57.54% <0.00%> (+0.94%) ⬆️
modules/git/repo.go 50.25% <0.00%> (+1.01%) ⬆️
modules/indexer/stats/db.go 52.17% <0.00%> (+8.69%) ⬆️
modules/indexer/stats/queue.go 76.47% <0.00%> (+23.52%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ac3cfad...35942f0. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Aug 13, 2020
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Aug 15, 2020
@zeripath
Copy link
Contributor Author

zeripath commented Aug 15, 2020
edited
Loading

I think we need to double check against what GH does for revoked IDs. There's an issue with the way GH uses git signatures here - it uses them as committer verification and therefore a signature matching a revoked email address is not necessarily incorrect.

Looks like this PR replicates this behaviour:

https://docs.github.com/en/github/authenticating-to-github/troubleshooting-commit-signature-verification

and is therefore correct.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Aug 15, 2020
@zeripath zeripath merged commit f50364a into go-gitea:master Aug 16, 2020
@zeripath zeripath deleted the fix-6778-disallow-revoked branch August 16, 2020 08:44
zeripath added a commit to zeripath/gitea that referenced this pull request Aug 16, 2020
@zeripath
Keys should not verify revoked email addresses (go-gitea#12486)
57015f2 
Backport go-gitea#12486

Fix go-gitea#6778

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this pull request Aug 16, 2020
Merged
@zeripath
Copy link
Contributor Author

It's worth noting that this will only result in non-verification if and only if the key does not match any other email address for the user.

(Remember that Signature Verification in Gitea does not currently match Github - Github's signature verification is only committer verification we have a slightly different model.)

techknowlogick pushed a commit that referenced this pull request Aug 17, 2020
@zeripath @lunny
Keys should not verify revoked email addresses (#12486) (#12495)
8282697 
Backport #12486

Fix #6778

Signed-off-by: Andrew Thornton <[email protected]>

Co-authored-by: Lunny Xiao <[email protected]>
@zeripath zeripath added the backport/done All backports for this PR have been created label Aug 22, 2020
@zeripath zeripath mentioned this pull request Oct 21, 2020
Closed
2 tasks
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@CirnoT CirnoT CirnoT approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.13.0
Development

Successfully merging this pull request may close these issues.

GPG not using correct UID
5 participants
@zeripath @codecov-commenter @lunny @CirnoT @GiteaBot