No PGP signature on 1.9.1 tag/release #7874
Comments
|
I think it just that it is an other @go-gitea/owners that make this tag and he doesn't use gpg generally. I don't think we enforce gpg on tag. It was just the the owners that previously done the tags use it. |
|
The binary is still signed. |
lunny
added
the
type/question
|
For insight, on discord maintainer channel I suggest to let as it is instead of re-tagging 1.9.1 and plan to release 1.9.2 soon as they are already fixes after 1.9.1. |
|
@sapk I always use gpg when I commit but missed tag. :( |
|
Of course, but we don’t package from binaries, we always build from sources. ;) I’m not in favour of re-tagging either actually, because this is generally a bad practice (though some of the common issues with that would not apply here, since the same commit would be tagged). I’ll disable signature checking for this one specific update, but would appreciate if you release process actually includes enforcing signing the tag in the future. ;) Since you already do for all binaries artifacts, this should not be a big deal. :) |
|
Just a tiny hint, but one could also upload detatched signatures for the github source tarballs. This could even be done without re-tagging anything 😸 |
|
Maybe we should add this issue to milestone 1.9.2 so that we indicate it in changelog as kind of fix from previous release and close it when 1.9.2 is release. |
|
Closed as new tag released and it is signed. |
* BUGFIXES * Fix wrong sender when send slack webhook (go-gitea#7918) (go-gitea#7924) * Upload support text/plain; charset=utf8 (go-gitea#7899) * Lfs/lock: round locked_at timestamp to second (go-gitea#7872) (go-gitea#7875) * Fix non existent milestone with 500 error (go-gitea#7867) (go-gitea#7873) * SECURITY * Fix No PGP signature on 1.9.1 tag (go-gitea#7874) * Release built with go 1.12.9 to fix security fixes in golang std lib, ref: https://groups.google.com/forum/#!msg/golang-announce/oeMaeUnkvVE/a49yvTLqAAAJ * ENHANCEMENT * Fix pull creation with empty changes (go-gitea#7920) (go-gitea#7926) * BUILD * Drone/docker: prepare multi-arch release + provide arm64 image (go-gitea#7571) (go-gitea#7884)
|
@lunny I can’t find your public key anywhere, and https://github.com/lunny.gpg is broken. Can you upload it to a keyserver? |
|
The public key should be accessible here : https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2 |
|
Sorry I read to quickly. |
|
@ArchangeGabriel It's strange https://github.com/lunny.gpg return: @sapk The tag is not signed by giteabot, but publishers. I tagged v1.9.2 and it displayed well.
@ArchangeGabriel maybe it's github's problem? |
|
Yes, GitHub is able to verify your signature but not to verify it. That is likely a bug on their side, but they are other places where you could upload your public key. :) Starting by this actual thread. ;) |
|
@lunny I still can’t found your key anywhere. Can you upload your public key somewhere accessible please? :) |
|
(Or just reupload it on GitHub as instructed by https://github.com/lunny.gpg) |
|
Let me try. |
|
@ArchangeGabriel After I readded the same gpg public key, it's now OK. |
|
@lunny Thanks, perfect. :) |
Everything is in the title, in contrary to all previous versions since I started packaging Gitea for ArchLinux, this is the first one where the tag/release is not PGP signed. Is it expected? Can you fix that? Thanks.
The text was updated successfully, but these errors were encountered: