SSH commit signature not recognised

[tecosaur]

Description

Seeing #17743, I get the impression that SSH signed commits should be recognised by Gitea.

I have git set up to sign with my SSH key.

[user]
	name = TEC
	email = [email protected]
	signingkey = ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZZqcJOLdN+QFHKyW8ST2zz750+8TdvO9IT5geXpQVt
[commit]
	gpgsign = true
[gpg]
	format = ssh
[gpg "ssh"]
	allowedSignersFile = /home/tec/.ssh/allowed_signers

I made a testing repo on try.gitea.io, and pushed
the SSH signed commit https://try.gitea.io/tecosaur/testing/commit/399bfb.

I know that Gitea is aware of this key, because I used it to push to the repo via an ssh git@... remote path.

This can also be verified by looking at https://try.gitea.io/tecosaur.keys

If I run git log --show-signature I see:

  Good "git" signature for [email protected] with ED25519 key SHA256:eobz41Mnm0/iYWBvWThftS0ElEs1  ftBr6jamutnXc/A

However, in the Gitea UI one sees " No known key found for this signature in database".

This issue was first noticed in my personal Gitea 1.16.9 instance, the issue has persisted after upgrading to 1.17.0, at which point I thought I'd try replicating on try.gitea.io and then making this issue.

Gitea Version

1.16.9 then 1.17.0, and try.gitea.io's version

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

Git Version

2.34

Operating System

NixOS

How are you running Gitea?

I'm running Gitea on a VM, and also reproduced this behaviour on try.gitea.io.

Database

PostgreSQL

[Gusted]

Hi @tecosaur!

Do you have your SSH key added to <instance_domain>/user/settings/keys?

[tecosaur]

That's exactly what I have,

[Gusted]

You forgot to verify your SSH key. It's only possible to recognize a SSH signature once the user has verified it's the holder of the SSH key.

[tecosaur]

Ah, I see. That makes sense, it would be a bit more helpful if the message was "the signing key used is unverified" rather than not known at all, but that's a minor thing.

I've given verification a shot, should there be much of a delay in it updating?

Currently, I still see "No known key found for this signature in database".

[Gusted]

Ah, I see. That makes sense, it would be a bit more helpful if the message was "the signing key used is unverified" rather than not known at all, but that's a minor thing.

Seems like a good addition, feel free to create a Feature request for that.

should there be much of a delay in it updating?

Not really, try ctrl + f5 to avoid seeing cached results.

[tecosaur]

I might create an FR for that message then 👍.

With a verified key, my personal 1.17.0 Gitea instance is showing the commits as signed correctly (e.g. https://git.tecosaur.net/tec/golgi/commit/eccd5aa3), but try.gitea.io hasn't updated (see https://try.gitea.io/tecosaur/testing/commit/399bfb5).

[Gusted]

Hmm, not sure if try.gitea.io employs (commit) caching on the backend. Otherwise it will have a delay.

[tecosaur]

Hmm, still not showing it. I guess check back later and if try.gitea.io has updated then close the issue, if not then maybe it's not picking it up properly?

[tecosaur]

Update: it's still working on my home instance, but in try.gitea.io my SSH key is verified:

but the commit still doesn't show it

[lunny]

It depends on the trust model.

[tecosaur]

Ok, so in that case should this be closed if it's just a configuration detail on try.gitea.io ?