Browse Source

Ensure Subkeys are verified (#12155)

When attempting to verify subkeys the email address verification step
requires checking the emails however, these emails are not stored on
subkeys but instead on the primary key.

This PR will obtain the primaryKey and check against these emails too.

Fix #12128

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
for-closed-social
zeripath 4 years ago
committed by GitHub
parent
commit
8a0bb7cd04
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 41 additions and 1 deletions
  1. +41
    -1
      models/gpg_key.go

+ 41
- 1
models/gpg_key.go View File

@ -509,6 +509,18 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use
return nil
}
for _, key := range keys {
var primaryKeys []*GPGKey
if key.PrimaryKeyID != "" {
primaryKeys, err = GetGPGKeysByKeyID(key.PrimaryKeyID)
if err != nil {
log.Error("GetGPGKeysByKeyID: %v", err)
return &CommitVerification{
CommittingUser: committer,
Verified: false,
Reason: "gpg.error.failed_retrieval_gpg_keys",
}
}
}
activated := false
if len(email) != 0 {
for _, e := range key.Emails {
@ -518,6 +530,20 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use
break
}
}
if !activated {
for _, pkey := range primaryKeys {
for _, e := range pkey.Emails {
if e.IsActivated && strings.EqualFold(e.Email, email) {
activated = true
email = e.Email
break
}
}
if activated {
break
}
}
}
} else {
for _, e := range key.Emails {
if e.IsActivated {
@ -526,7 +552,22 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use
break
}
}
if !activated {
for _, pkey := range primaryKeys {
for _, e := range pkey.Emails {
if e.IsActivated {
activated = true
email = e.Email
break
}
}
if activated {
break
}
}
}
}
if !activated {
continue
}
@ -614,7 +655,6 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
if keyID == "" && sig.IssuerFingerprint != nil && len(sig.IssuerFingerprint) > 0 {
keyID = fmt.Sprintf("%X", sig.IssuerFingerprint[12:20])
}
defaultReason := NoKeyFound
// First check if the sig has a keyID and if so just look at that

Loading…
Cancel
Save