mirror of
https://github.com/go-gitea/gitea
synced 2024-11-14 14:01:34 +01:00
Ensure Subkeys are verified (#12155)
When attempting to verify subkeys the email address verification step requires checking the emails however, these emails are not stored on subkeys but instead on the primary key. This PR will obtain the primaryKey and check against these emails too. Fix #12128 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
parent
26e931ae34
commit
8a0bb7cd04
1 changed files with 41 additions and 1 deletions
|
@ -509,6 +509,18 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
for _, key := range keys {
|
for _, key := range keys {
|
||||||
|
var primaryKeys []*GPGKey
|
||||||
|
if key.PrimaryKeyID != "" {
|
||||||
|
primaryKeys, err = GetGPGKeysByKeyID(key.PrimaryKeyID)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("GetGPGKeysByKeyID: %v", err)
|
||||||
|
return &CommitVerification{
|
||||||
|
CommittingUser: committer,
|
||||||
|
Verified: false,
|
||||||
|
Reason: "gpg.error.failed_retrieval_gpg_keys",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
activated := false
|
activated := false
|
||||||
if len(email) != 0 {
|
if len(email) != 0 {
|
||||||
for _, e := range key.Emails {
|
for _, e := range key.Emails {
|
||||||
|
@ -518,6 +530,20 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if !activated {
|
||||||
|
for _, pkey := range primaryKeys {
|
||||||
|
for _, e := range pkey.Emails {
|
||||||
|
if e.IsActivated && strings.EqualFold(e.Email, email) {
|
||||||
|
activated = true
|
||||||
|
email = e.Email
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if activated {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
for _, e := range key.Emails {
|
for _, e := range key.Emails {
|
||||||
if e.IsActivated {
|
if e.IsActivated {
|
||||||
|
@ -526,7 +552,22 @@ func hashAndVerifyForKeyID(sig *packet.Signature, payload string, committer *Use
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if !activated {
|
||||||
|
for _, pkey := range primaryKeys {
|
||||||
|
for _, e := range pkey.Emails {
|
||||||
|
if e.IsActivated {
|
||||||
|
activated = true
|
||||||
|
email = e.Email
|
||||||
|
break
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
if activated {
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !activated {
|
if !activated {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -614,7 +655,6 @@ func ParseCommitWithSignature(c *git.Commit) *CommitVerification {
|
||||||
if keyID == "" && sig.IssuerFingerprint != nil && len(sig.IssuerFingerprint) > 0 {
|
if keyID == "" && sig.IssuerFingerprint != nil && len(sig.IssuerFingerprint) > 0 {
|
||||||
keyID = fmt.Sprintf("%X", sig.IssuerFingerprint[12:20])
|
keyID = fmt.Sprintf("%X", sig.IssuerFingerprint[12:20])
|
||||||
}
|
}
|
||||||
|
|
||||||
defaultReason := NoKeyFound
|
defaultReason := NoKeyFound
|
||||||
|
|
||||||
// First check if the sig has a keyID and if so just look at that
|
// First check if the sig has a keyID and if so just look at that
|
||||||
|
|
Loading…
Reference in a new issue