Description
contrib/upgrade.sh imports the Gitea signing key using the GPG keyserver protocol:
gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
This uses HKP port 11371, which is blocked on many firewalls and cloud/corporate networks, causing:
gpg: keyserver receive failed: Connection timed out
The upgrade aborts because set -euo pipefail treats the non-zero exit as fatal.
Steps to reproduce
- Run
contrib/upgrade.sh on a machine where outbound port 11371 is firewalled
- GPG key import fails with
Connection timed out
- Upgrade aborts before replacing the binary
Expected behaviour
The script should import the key successfully regardless of firewall rules on port 11371.
Proposed fix
Use the keys.openpgp.org HTTPS REST API (port 443) instead of HKP, with keyservers as fallback:
curl -fsSL --connect-timeout 10 \
"https://keys.openpgp.org/vks/v1/by-fingerprint/7C9E68152594688862D62AF62D9AE806EC1592E2" \
| gpg --import \
|| gpg --keyserver keyserver.ubuntu.com --recv 7C9E68152594688862D62AF62D9AE806EC1592E2 \
|| gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
Verified working — same server, same key, served over port 443 instead of 11371.
Environment
- Gitea version: 1.24.3 → 1.25.5
- OS: Linux (Fedora)
- Network: outbound port 11371 blocked by firewall
Description
contrib/upgrade.shimports the Gitea signing key using the GPG keyserver protocol:This uses HKP port 11371, which is blocked on many firewalls and cloud/corporate networks, causing:
The upgrade aborts because
set -euo pipefailtreats the non-zero exit as fatal.Steps to reproduce
contrib/upgrade.shon a machine where outbound port 11371 is firewalledConnection timed outExpected behaviour
The script should import the key successfully regardless of firewall rules on port 11371.
Proposed fix
Use the
keys.openpgp.orgHTTPS REST API (port 443) instead of HKP, with keyservers as fallback:Verified working — same server, same key, served over port 443 instead of 11371.
Environment