Highlight signed tags like signed commits

This makes signed tags show a badge in the tag list similar to signed
commits in the commit list, and a more verbose block when viewing a
single tag. Works for both GPG and SSH signed tags.

Fixes #1316.

Work sponsored by @glts.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>

routers/web/repo/release.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/asymkey"
 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -18,6 +19,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/gitrepo"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/markdown"
@@ -192,6 +194,7 @@ func Releases(ctx *context.Context) {
 	}
 
 	ctx.Data["Releases"] = releases
+	addVerifyTagToContext(ctx)
 
 	numReleases := ctx.Data["NumReleases"].(int64)
 	pager := context.NewPagination(int(numReleases), listOptions.PageSize, listOptions.Page, 5)
@@ -201,6 +204,44 @@ func Releases(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplReleasesList)
 }
 
+func verifyTagSignature(ctx *context.Context, r *repo_model.Release) (*asymkey.ObjectVerification, error) {
+	if err := r.LoadAttributes(ctx); err != nil {
+		return nil, err
+	}
+	gitRepo, err := gitrepo.OpenRepository(ctx, r.Repo)
+	if err != nil {
+		return nil, err
+	}
+	defer gitRepo.Close()
+
+	tag, err := gitRepo.GetTag(r.TagName)
+	if err != nil {
+		return nil, err
+	}
+	if tag.Signature == nil {
+		return nil, nil
+	}
+
+	verification := asymkey.ParseTagWithSignature(ctx, gitRepo, tag)
+	return verification, nil
+}
+
+func addVerifyTagToContext(ctx *context.Context) {
+	ctx.Data["VerifyTag"] = func(r *repo_model.Release) *asymkey.ObjectVerification {
+		v, err := verifyTagSignature(ctx, r)
+		if err != nil {
+			return nil
+		}
+		return v
+	}
+	ctx.Data["HasSignature"] = func(verification *asymkey.ObjectVerification) bool {
+		if verification == nil {
+			return false
+		}
+		return verification.Reason != "gpg.error.not_signed_commit"
+	}
+}
+
 // TagsList render tags list page
 func TagsList(ctx *context.Context) {
 	ctx.Data["PageIsTagList"] = true
@@ -240,6 +281,7 @@ func TagsList(ctx *context.Context) {
 	}
 
 	ctx.Data["Releases"] = releases
+	addVerifyTagToContext(ctx)
 
 	numTags := ctx.Data["NumTags"].(int64)
 	pager := context.NewPagination(int(numTags), opts.PageSize, opts.Page, 5)
@@ -304,6 +346,7 @@ func SingleRelease(ctx *context.Context) {
 	if release.IsTag && release.Title == "" {
 		release.Title = release.TagName
 	}
+	addVerifyTagToContext(ctx)
 
 	ctx.Data["PageIsSingleTag"] = release.IsTag
 	if release.IsTag {

templates/repo/release/list.tmpl

@@ -60,6 +60,7 @@
 						<div class="markup desc">
 							{{$release.RenderedNote}}
 						</div>
+						{{template "repo/tag/verification_line" (dict "ctxData" $ "release" $release)}}
 						<div class="divider"></div>
 						<details class="download" {{if eq $idx 0}}open{{end}}>
 							<summary class="tw-my-4">

templates/repo/tag/list.tmpl

@@ -16,12 +16,13 @@
 					{{range $idx, $release := .Releases}}
 						<tr>
 							<td class="tag">
-								<h3 class="release-tag-name tw-mb-2">
+								<h3 class="release-tag-name tw-mb-2 tw-flex">
 									{{if $canReadReleases}}
 										<a class="tw-flex tw-items-center" href="{{$.RepoLink}}/releases/tag/{{.TagName | PathEscapeSegments}}" rel="nofollow">{{.TagName}}</a>
 									{{else}}
 										<a class="tw-flex tw-items-center" href="{{$.RepoLink}}/src/tag/{{.TagName | PathEscapeSegments}}" rel="nofollow">{{.TagName}}</a>
 									{{end}}
+									{{template "repo/tag/verification_box" (dict "ctxData" $ "release" $release)}}
 								</h3>
 								<div class="download tw-flex tw-items-center">
 									{{if $.Permission.CanRead $.UnitTypeCode}}

templates/repo/tag/verification_box.tmpl

@@ -0,0 +1,27 @@
+{{$v := call .ctxData.VerifyTag .release}}
+{{if call .ctxData.HasSignature $v}}
+	{{$class := "isSigned"}}
+	{{$href := ""}}
+	{{if $v.Verified}}
+		{{$href = $v.SigningUser.HomeLink}}
+		{{$class = (print $class " isVerified")}}
+	{{else}}
+		{{$class = (print $class " isWarning")}}
+	{{end}}
+
+	<a {{if $href}}href="{{$href}}"{{end}} class="ui label tw-ml-2 {{$class}}">
+		{{if $v.Verified}}
+			<div title="{{$v.Reason}}">
+				{{if ne $v.SigningUser.ID 0}}
+					{{svg "gitea-lock"}}
+					{{ctx.AvatarUtils.Avatar $v.SigningUser 28 "signature"}}
+				{{else}}
+					<span title="{{ctx.Locale.Tr "gpg.default_key"}}">{{svg "gitea-lock-cog"}}</span>
+					{{ctx.AvatarUtils.AvatarByEmail $v.Verification.SigningEmail "" 28 "signature"}}
+				{{end}}
+			</div>
+		{{else}}
+			<span title="{{ctx.Locale.Tr $v.Reason}}">{{svg "gitea-unlock"}}</span>
+		{{end}}
+	</a>
+{{end}}

templates/repo/tag/verification_line.tmpl

@@ -0,0 +1,80 @@
+{{$v := call .ctxData.VerifyTag .release}}
+{{if call .ctxData.HasSignature $v}}
+	{{$class := "isSigned"}}
+	{{$href := ""}}
+	{{if $v.Verified}}
+		{{$href = $v.SigningUser.HomeLink}}
+		{{$class = (print $class " isVerified")}}
+	{{else}}
+		{{$class = (print $class " isWarning")}}
+	{{end}}
+
+	<div class="ui bottom attached message tw-text-left tw-flex tw-content-center tw-justify-between tag-signature-row tw-flex-wrap tw-mb-0 {{$class}}">
+		<div class="tw-flex tw-content-center">
+			{{if $v.Verified}}
+				{{if ne $v.SigningUser.ID 0}}
+					{{svg "gitea-lock" 16 "tw-mr-2"}}
+					<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.signed_by"}}</span>
+					{{ctx.AvatarUtils.Avatar $v.SigningUser 28 "tw-mr-2"}}
+					<a href="{{$v.SigningUser.HomeLink}}"><strong>{{$v.SigningUser.GetDisplayName}}</strong></a>
+				{{else}}
+					<span title="{{ctx.Locale.Tr "gpg.default_key"}}">{{svg "gitea-lock-cog" 16 "tw-mr-2"}}</span>
+					<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.signed_by"}}:</span>
+					{{ctx.AvatarUtils.AvatarByEmail $v.SigningEmail "" 28 "tw-mr-2"}}
+					<strong>{{$v.SigningUser.GetDisplayName}}</strong>
+				{{end}}
+			{{else}}
+				{{svg "gitea-unlock" 16 "tw-mr-2"}}
+				<span class="ui text">{{ctx.Locale.Tr $v.Reason}}</span>
+			{{end}}
+		</div>
+
+		<div class="tw-flex tw-content-center">
+			{{if $v.Verified}}
+				{{if ne $v.SigningUser.ID 0}}
+					{{svg "octicon-verified" 16 "tw-mr-2"}}
+					{{if $v.SigningSSHKey}}
+						<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.ssh_key_fingerprint"}}:</span>
+						{{$v.SigningSSHKey.Fingerprint}}
+					{{else}}
+						<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.gpg_key_id"}}:</span>
+						{{$v.SigningKey.PaddedKeyID}}
+					{{end}}
+				{{else}}
+					{{svg "octicon-unverified" 16 "tw-mr-2"}}
+					{{if $v.SigningSSHKey}}
+						<span class="ui text tw-mr-2" data-tooltip-content="{{ctx.Locale.Tr "gpg.default_key"}}">{{ctx.Locale.Tr "repo.commits.ssh_key_fingerprint"}}:</span>
+						{{$v.SigningSSHKey.Fingerprint}}
+					{{else}}
+						<span class="ui text tw-mr-2" data-tooltip-content="{{ctx.Locale.Tr "gpg.default_key"}}">{{ctx.Locale.Tr "repo.commits.gpg_key_id"}}:</span>
+						{{$v.SigningKey.PaddedKeyID}}
+					{{end}}
+				{{end}}
+			{{else if $v.Warning}}
+				{{svg "octicon-unverified" 16 "tw-mr-2"}}
+				{{if $v.SigningSSHKey}}
+					<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.ssh_key_fingerprint"}}:</span>
+					{{$v.SigningSSHKey.Fingerprint}}
+				{{else}}
+					<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.gpg_key_id"}}:</span>
+					{{$v.SigningKey.PaddedKeyID}}
+				{{end}}
+			{{else}}
+				{{if $v.SigningKey}}
+					{{if ne $v.SigningKey.KeyID ""}}
+						{{svg "octicon-verified" 16 "tw-mr-2"}}
+						<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.gpg_key_id"}}:</span>
+						{{$v.SigningKey.PaddedKeyID}}
+					{{end}}
+				{{end}}
+				{{if $v.SigningSSHKey}}
+					{{if ne $v.SigningSSHKey.Fingerprint ""}}
+						{{svg "octicon-verified" 16 "tw-mr-2"}}
+						<span class="ui text tw-mr-2">{{ctx.Locale.Tr "repo.commits.ssh_key_fingerprint"}}:</span>
+						{{$v.SigningSSHKey.Fingerprint}}
+					{{end}}
+				{{end}}
+			{{end}}
+		</div>
+	</div>
+{{end}}

web_src/css/repo.css

@@ -1878,6 +1878,31 @@
   border-bottom: 1px solid var(--color-warning-border);
 }
 
+.repository .release-tag-name .ui.label.isSigned,
+.repository .release-list-title .ui.label.isSigned {
+  padding: 0 0.5em;
+  box-shadow: none;
+}
+
+.repository .release-tag-name .ui.label.isSigned .avatar,
+.repository .release-list-title .ui.label.isSigned .avatar {
+  margin-left: .5rem;
+}
+
+.repository .release-tag-name .ui.label.isSigned.isVerified,
+.repository .release-list-title .ui.label.isSigned.isVerified {
+  border: 1px solid var(--color-success-border);
+  background-color: var(--color-success-bg);
+  color: var(--color-success-text);
+}
+
+.repository .release-tag-name .ui.label.isSigned.isWarning,
+.repository .release-list-title .ui.label.isSigned.isWarning {
+  border: 1px solid var(--color-warning-border);
+  background-color: var(--color-warning-bg);
+  color: var(--color-warning-text);
+}
+
 .repository .segment.reactions.dropdown .menu,
 .repository .select-reaction.dropdown .menu {
   right: 0 !important;
@@ -2111,12 +2136,19 @@
   padding-top: 15px;
 }
 
-.commit-header-row {
+.commit-header-row,
+.tag-signature-row {
   min-height: 50px !important;
   padding-top: 0 !important;
   padding-bottom: 0 !important;
 }
 
+.tag-signature-row div {
+  margin-top: auto !important;
+  margin-bottom: auto !important;
+  display: inline-block !important;
+}
+
 .settings.webhooks .list > .item:not(:first-child),
 .settings.githooks .list > .item:not(:first-child),
 .settings.actions .list > .item:not(:first-child) {