Skip to content

Keys should not verify revoked email addresses#12486

Merged
zeripath merged 2 commits into
go-gitea:masterfrom
zeripath:fix-6778-disallow-revoked
Aug 16, 2020
Merged

Keys should not verify revoked email addresses#12486
zeripath merged 2 commits into
go-gitea:masterfrom
zeripath:fix-6778-disallow-revoked

Conversation

@zeripath
Copy link
Copy Markdown
Contributor

@zeripath zeripath commented Aug 13, 2020

When adding gpg keys, if the identity has been revoked do not match it with email addresses.

Fix #6778

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Keys should not verify revoked email addresses
9f5e585 
Fix go-gitea#6778

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added this to the 1.13.0 milestone Aug 13, 2020
@zeripath zeripath mentioned this pull request Aug 13, 2020
Closed
7 tasks
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Aug 13, 2020
edited
Loading

Codecov Report

Merging #12486 into master will increase coverage by 0.01%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #12486      +/-   ##
==========================================
+ Coverage   43.73%   43.75%   +0.01%     
==========================================
  Files         631      631              
  Lines       69871    69873       +2     
==========================================
+ Hits        30560    30570      +10     
+ Misses      34352    34348       -4     
+ Partials     4959     4955       -4
Impacted Files Coverage Δ
models/gpg_key.go 54.58% <0.00%> (-0.22%) ⬇️
models/unit.go 45.07% <0.00%> (-2.82%) ⬇️
services/pull/pull.go 42.03% <0.00%> (+0.46%) ⬆️
modules/log/event.go 57.54% <0.00%> (+0.94%) ⬆️
modules/git/repo.go 50.25% <0.00%> (+1.01%) ⬆️
modules/indexer/stats/db.go 52.17% <0.00%> (+8.69%) ⬆️
modules/indexer/stats/queue.go 76.47% <0.00%> (+23.52%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ac3cfad...35942f0. Read the comment docs.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Aug 13, 2020
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Aug 15, 2020
@zeripath
Copy link
Copy Markdown
Contributor Author

zeripath commented Aug 15, 2020
edited
Loading

I think we need to double check against what GH does for revoked IDs. There's an issue with the way GH uses git signatures here - it uses them as committer verification and therefore a signature matching a revoked email address is not necessarily incorrect.

Looks like this PR replicates this behaviour:

https://docs.github.com/en/github/authenticating-to-github/troubleshooting-commit-signature-verification

and is therefore correct.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Aug 15, 2020
@zeripath zeripath merged commit f50364a into go-gitea:master Aug 16, 2020
@zeripath zeripath deleted the fix-6778-disallow-revoked branch August 16, 2020 08:44
zeripath added a commit to zeripath/gitea that referenced this pull request Aug 16, 2020
@zeripath
Keys should not verify revoked email addresses (go-gitea#12486)
57015f2 
Backport go-gitea#12486

Fix go-gitea#6778

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Aug 16, 2020
Merged
@zeripath
Copy link
Copy Markdown
Contributor Author

zeripath commented Aug 16, 2020

It's worth noting that this will only result in non-verification if and only if the key does not match any other email address for the user.

(Remember that Signature Verification in Gitea does not currently match Github - Github's signature verification is only committer verification we have a slightly different model.)

techknowlogick pushed a commit that referenced this pull request Aug 17, 2020
@zeripath @lunny
Keys should not verify revoked email addresses (#12486) (#12495)
8282697 
Backport #12486

Fix #6778

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@zeripath zeripath added the backport/done All backports for this PR have been created label Aug 22, 2020
@zeripath zeripath mentioned this pull request Oct 21, 2020
Closed
2 tasks
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@lunny lunny lunny approved these changes

+1 more reviewer

@CirnoT CirnoT CirnoT approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.13.0

Development

Successfully merging this pull request may close these issues.

GPG not using correct UID

5 participants

@zeripath @codecov-commenter @lunny @CirnoT @GiteaBot