Cannot verify GPG key. Armored GPG signature not accepted

[ligaard]

Description

I am trying to set up GPG key on my account. I have successfully added a GPG key, but when I want to verify it, it fails with a red banner stating "The provided GPG key, signature and token do not match or token is out-of-date."

Steps to reproduce (also cf. screenshot below):
0. Go to URL path: user/settings/keys

1. Click the "Verify" button next to a GPG key.
2. execute the command line command shown below the Token input field.
3. Copy paste from the terminal to the Armored GPG signature field.
4. Click Verify and see it fail with the red banner up top.

When step 4 happens, the following log line message is printed twice:
...ey/gpg_key_verify.go:84:VerifyGPGKey() [E] Unable to validate token signature. Error:

My GPG key has been set up with a subkey (as described in https://mikeross.xyz/create-gpg-key-pair-with-subkeys/).

A related issue, but for SSH instead of GPG, is in issue #29903.

Gitea Version

1.23.0+dev-13-gb6a3cd4b8

Can you reproduce the bug on the Gitea demo site?

I do not have login to Gitea demo site and thus have not tried to reproduce there.

Log Gist

...ey/gpg_key_verify.go:84:VerifyGPGKey() [E] Unable to validate token signature. Error:

Screenshots

Git Version

2.43.0

Operating System

Linux (docker desktop on MacOS)

How are you running Gitea?

I am running Gitea from nightly docker hub image, via Docker Desktop on MacOS.

Database

SQLite

[KN4CK3R]

To reproduce the added key must have two subkeys. Generating it with gpg --full-generate-key produces a key with one subkey. Verify works with this key. Then after adding a second subkey the verification fails.

[KN4CK3R]

Fixed in #30193.