Gitea: No PGP signature on 1.9.1 tag/release
Everything is in the title, in contrary to all previous versions since I started packaging Gitea for ArchLinux, this is the first one where the tag/release is not PGP signed. Is it expected? Can you fix that? Thanks.
ArchangeGabriel
All 19 comments
I think it just that it is an other @go-gitea/owners that make this tag and he doesn't use gpg generally. I don't think we enforce gpg on tag. It was just the the owners that previously done the tags use it.
sapk
on 15 Aug 2019
The binary is still signed.
sapk
on 15 Aug 2019
For insight, on discord maintainer channel I suggest to let as it is instead of re-tagging 1.9.1 and plan to release 1.9.2 soon as they are already fixes after 1.9.1.
sapk
on 15 Aug 2019
@sapk I always use gpg when I commit but missed tag. :(
@ArchangeGabriel Sorry for that and except the tag PGP signature, all binaries have signatures.
lunny
on 15 Aug 2019
Of course, but we don’t package from binaries, we always build from sources. ;)
I’m not in favour of re-tagging either actually, because this is generally a bad practice (though some of the common issues with that would not apply here, since the same commit would be tagged).
I’ll disable signature checking for this one specific update, but would appreciate if you release process actually includes enforcing signing the tag in the future. ;) Since you already do for all binaries artifacts, this should not be a big deal. :)
ArchangeGabriel
on 15 Aug 2019
Just a tiny hint, but one could also upload detatched signatures for the github source tarballs. This could even be done without re-tagging anything :smile_cat:
anthraxx
on 15 Aug 2019
Maybe we should add this issue to milestone 1.9.2 so that we indicate it in changelog as kind of fix from previous release and close it when 1.9.2 is release.
sapk
on 15 Aug 2019
Closed as new tag released and it is signed.
techknowlogick
on 22 Aug 2019
@lunny I can’t find your public key anywhere, and https://github.com/lunny.gpg is broken. Can you upload it to a keyserver?
ArchangeGabriel
on 25 Aug 2019
The public key should be accessible here : https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2
sapk
on 25 Aug 2019
@sapk That’s not @lunny key.
ArchangeGabriel
on 25 Aug 2019
Sorry I read to quickly.
sapk
on 25 Aug 2019
@ArchangeGabriel It's strange https://github.com/lunny.gpg return:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Note: The keys with the following IDs couldn't be exported and need to be reuploaded C3B7C91B632F738A
=twTO
-----END PGP PUBLIC KEY BLOCK-----
@sapk The tag is not signed by giteabot, but publishers. I tagged v1.9.2 and it displayed well.
@ArchangeGabriel maybe it's github's problem?
lunny
on 25 Aug 2019
Yes, GitHub is able to verify your signature but not to verify it. That is likely a bug on their side, but they are other places where you could upload your public key. :) Starting by this actual thread. ;)
ArchangeGabriel
on 31 Aug 2019
@lunny I still can’t found your key anywhere. Can you upload your _public_ key somewhere accessible please? :)
ArchangeGabriel
on 3 Jan 2020
(Or just reupload it on GitHub as instructed by https://github.com/lunny.gpg)
ArchangeGabriel
on 3 Jan 2020
Let me try.
lunny
on 3 Jan 2020
@ArchangeGabriel After I readded the same gpg public key, it's now OK.
lunny
on 3 Jan 2020
@lunny Thanks, perfect. :)
ArchangeGabriel
on 3 Jan 2020
Related issues
cookiengineer
·
3Comments
kolargol
·
3Comments
lunny
·
3Comments
lunny
·
3Comments
flozz
·
3Comments