mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-16 07:46:35 +00:00
7e205c5718
## Fix: `GET /api/v1/repos/{owner}/{repo}/git/tags/{sha}` returns empty verification for signed tags
### Problem
When an annotated tag is signed (GPG or SSH) but the underlying commit is **not** signed, the API endpoint `GET /repos/{owner}/{repo}/git/tags/{sha}` returns an empty `verification.signature` field.
This is because `ToAnnotatedTag` was calling `ToVerification(ctx, c)` with the **commit** object, which checks the commit's signature — not the tag's own signature. Since the commit is unsigned, the API returns `signature: ""` and `verified: false`.
This causes issues for tools that rely on the tag signature from the API to validate that a tag push event is from a trusted source.
### Fix
`ToAnnotatedTag` now checks if the tag has its own signature (`t.Signature != nil`). If so, it uses `ParseTagWithSignature` to verify the tag's signature and populates the `verification` field from the tag. Otherwise, it falls back to the commit signature (existing behavior for unsigned/lightweight tags).
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12351
Reviewed-by: limiting-factor <limiting-factor@noreply.codeberg.org>
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
|
||
|---|---|---|
| .. | ||
| action.go | ||
| activity.go | ||
| activitypub_person.go | ||
| activitypub_user_action.go | ||
| attachment.go | ||
| attachment_test.go | ||
| convert.go | ||
| convert_test.go | ||
| git_commit.go | ||
| git_commit_test.go | ||
| issue.go | ||
| issue_comment.go | ||
| issue_test.go | ||
| main_test.go | ||
| mirror.go | ||
| notification.go | ||
| package.go | ||
| pull.go | ||
| pull_review.go | ||
| pull_test.go | ||
| quota.go | ||
| release.go | ||
| release_test.go | ||
| repository.go | ||
| status.go | ||
| user.go | ||
| user_test.go | ||
| utils.go | ||
| utils_test.go | ||
| wiki.go | ||