diff options
| author | zeripath <art27@cantab.net> | 2020-07-06 19:33:34 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-06 14:33:34 -0400 |
| commit | 8a0bb7cd040b17e6c6c3d75b4b76051953253c31 (patch) | |
| tree | ca09d4ff41a34562097c933adb91e1c0f3c4176b /models/gpg_key.go | |
| parent | 26e931ae34f618c1a5ad5935cceff7372b16f8a2 (diff) | |
| download | gitea-8a0bb7cd040b17e6c6c3d75b4b76051953253c31.tar.gz gitea-8a0bb7cd040b17e6c6c3d75b4b76051953253c31.zip | |
Ensure Subkeys are verified (#12155)
When attempting to verify subkeys the email address verification step
requires checking the emails however, these emails are not stored on
subkeys but instead on the primary key.
This PR will obtain the primaryKey and check against these emails too.
Fix #12128
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'models/gpg_key.go')
| -rw-r--r-- | models/gpg_key.go | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/models/gpg_key.go b/models/gpg_key.go index 49e510839f..309d914bbc 100644 --- a/models/gpg_key.go +++ b/models/gpg_key.go @@ -509,6 +509,18 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use return nil } for _, key := range keys { + var primaryKeys []*GPGKey + if key.PrimaryKeyID != "" { + primaryKeys, err = GetGPGKeysByKeyID(key.PrimaryKeyID) + if err != nil { + log.Error("GetGPGKeysByKeyID: %v", err) + return &CommitVerification{ + CommittingUser: committer, + Verified: false, + Reason: "gpg.error.failed_retrieval_gpg_keys", + } + } + } activated := false if len(email) != 0 { for _, e := range key.Emails { @@ -518,6 +530,20 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use break } } + if !activated { + for _, pkey := range primaryKeys { + for _, e := range pkey.Emails { + if e.IsActivated && strings.EqualFold(e.Email, email) { + activated = true + email = e.Email + break + } + } + if activated { + break + } + } + } } else { for _, e := range key.Emails { if e.IsActivated { @@ -526,7 +552,22 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use break } } + if !activated { + for _, pkey := range primaryKeys { + for _, e := range pkey.Emails { + if e.IsActivated { + activated = true + email = e.Email + break + } + } + if activated { + break + } + } + } } + if !activated { continue } @@ -614,7 +655,6 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification { if keyID == "" && sig.IssuerFingerprint != nil && len(sig.IssuerFingerprint) > 0 { keyID = fmt.Sprintf("%X", sig.IssuerFingerprint[12:20]) } - defaultReason := NoKeyFound // First check if the sig has a keyID and if so just look at that |