fix(upgrade.sh): use HTTPS for GPG key import and restore SELinux context after upgrade#36930
Merged
Merged
Conversation
…text Two fixes for contrib/upgrade.sh: 1. GPG key import now uses the keys.openpgp.org HTTPS REST API (port 443) instead of the HKP protocol (port 11371), which is frequently blocked by firewalls. Keyservers remain as fallbacks. Closes go-gitea#36928 2. After moving the binary to $giteabin, run restorecon to fix the SELinux security context on RHEL/Fedora systems. Without this, systemd exits with status 203/EXEC. Guarded with command -v so it is a no-op on non-SELinux systems. Closes go-gitea#36929
GiteaBot
added
the
lgtm/need 2
wxiaoguang
reviewed
Mar 19, 2026
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
wxiaoguang
reviewed
Mar 19, 2026
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
wxiaoguang
approved these changes
Mar 19, 2026
GiteaBot
added
lgtm/need 1
TheFox0x7
approved these changes
Mar 19, 2026
GiteaBot
added
lgtm/done
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Mar 23, 2026
* giteaofficial/main: Add user badges (go-gitea#36752) Apply as maintainer (go-gitea#36947) Refactor storage content-type handling of ServeDirectURL (go-gitea#36804) Add summary to action runs view (go-gitea#36883) feat: Add configurable permissions for Actions automatic tokens (go-gitea#36173) Feature: Add button to re-run failed jobs in Actions (go-gitea#36924) Support dark/light theme images in markdown (go-gitea#36922) fix go-gitea#36463: preserve sort order of exclusive labels from template repo (go-gitea#36931) fix(upgrade.sh): use HTTPS for GPG key import and restore SELinux context after upgrade (go-gitea#36930) [skip ci] Updated translations via Crowdin Make container registry support Apple Container (basic auth) (go-gitea#36920) Fix various trivial problems (go-gitea#36921)
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Mar 23, 2026
* origin/main: Update to eslint 10 (go-gitea#36925) Add user badges (go-gitea#36752) Apply as maintainer (go-gitea#36947) Refactor storage content-type handling of ServeDirectURL (go-gitea#36804) Add summary to action runs view (go-gitea#36883) feat: Add configurable permissions for Actions automatic tokens (go-gitea#36173) Feature: Add button to re-run failed jobs in Actions (go-gitea#36924) Support dark/light theme images in markdown (go-gitea#36922) fix go-gitea#36463: preserve sort order of exclusive labels from template repo (go-gitea#36931) fix(upgrade.sh): use HTTPS for GPG key import and restore SELinux context after upgrade (go-gitea#36930) [skip ci] Updated translations via Crowdin Make container registry support Apple Container (basic auth) (go-gitea#36920) Fix various trivial problems (go-gitea#36921) [skip ci] Updated translations via Crowdin # Conflicts: # package.json # pnpm-lock.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two bug fixes for
contrib/upgrade.shfound during a real-world upgrade from 1.24.3 to 1.25.5 on Fedora.Fix 1: GPG key import fails when HKP port 11371 is blocked (closes #36928)
Before:
This uses HKP port 11371, which is blocked by many firewalls. The upgrade aborts with:
After:
Same
keys.openpgp.orgserver, same key — but fetched over HTTPS port 443 which is universally accessible. Keyservers remain as fallbacks.Fix 2: Gitea fails to start after upgrade on SELinux systems (closes #36929)
Problem: After
mv-ing the binary from$giteahometo/usr/local/bin/gitea, the file retains the SELinux context of the source directory. Systemd refuses to execute it, exiting withstatus=203/EXEC.Fix: Add a
restoreconcall guarded bycommand -vso it is a no-op on non-SELinux systems:Verified:
restorecon -v /usr/local/bin/giteaimmediately restored service on the affected machine.