peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-13 06:20:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
jojo/services
History
forgejo-backport-action d3dd397001 [v15.0/forgejo] fix: get tag must return the tag signature instead of commit signature (#12395) 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12351

## Fix: `GET /api/v1/repos/{owner}/{repo}/git/tags/{sha}` returns empty verification for signed tags

### Problem

When an annotated tag is signed (GPG or SSH) but the underlying commit is **not** signed, the API endpoint `GET /repos/{owner}/{repo}/git/tags/{sha}` returns an empty `verification.signature` field.

This is because `ToAnnotatedTag` was calling `ToVerification(ctx, c)` with the **commit** object, which checks the commit's signature — not the tag's own signature. Since the commit is unsigned, the API returns `signature: ""` and `verified: false`.

This causes issues for tools that rely on the tag signature from the API to validate that a tag push event is from a trusted source.

### Fix

`ToAnnotatedTag` now checks if the tag has its own signature (`t.Signature != nil`). If so, it uses `ParseTagWithSignature` to verify the tag's signature and populates the `verification` field from the tag. Otherwise, it falls back to the commit signature (existing behavior for unsigned/lightweight tags).

Co-authored-by: steven.guiheux <steven.guiheux@ovhcloud.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12395
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
2026-05-03 06:38:17 +02:00
..
actions [v15.0/forgejo] fix: resolve outer workflow call to success, not failure, on inner job skip (#12229) 2026-04-22 20:40:54 +02:00
agit chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
asymkey chore: do not clobber ~/.ssh/authorized_keys in certain tests (#10163) 2025-11-19 16:14:16 +01:00
attachment fix: check that attachments belong to correct resource 2026-03-06 11:21:07 -07:00
auth [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
authz feat: read, create, & delete repo-specific access tokens via API (#11504) 2026-03-07 21:55:08 +01:00
automerge chore: add integration testing 2026-03-06 11:21:07 -07:00
context [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
contexttest feat: add more filters to actions run and tasks api (#11584) 2026-03-10 01:20:00 +01:00
convert [v15.0/forgejo] fix: get tag must return the tag signature instead of commit signature (#12395) 2026-05-03 06:38:17 +02:00
cron [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
doctor [v15.0/forgejo] fix(doctor): remove broken mergebase check (#12040) 2026-04-08 21:09:40 +02:00
externalaccount chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994) 2025-05-29 17:34:29 +02:00
f3 chore: update gof3/v3 v3.11.15 (#10673) 2026-01-13 16:59:56 +01:00
federation feat(activitypub): use structure @PreferredUsername@host.tld:port for actors (#9254) 2026-01-30 23:45:11 +01:00
feed chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
forgejo chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
forms [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
gitdiff [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
indexer fix(issue-search): delete issue from indexer on DeleteIssue (#11585) 2026-03-09 18:51:18 +01:00
issue [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
lfs [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
mailer [v15.0/forgejo] i18n(mailer): Fix special usage of .Locale in admin_new_user (#12112) 2026-04-14 07:22:44 +02:00
markup chore: remove branding from context imports (#9628) 2025-10-11 01:52:51 +02:00
migrations [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
mirror [v15.0/forgejo] fix: store pull mirror creds encrypted with keying (#11984) 2026-04-04 14:47:05 +02:00
moderation chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
notify fix(issue-search): delete issue from indexer on DeleteIssue (#11585) 2026-03-09 18:51:18 +01:00
org fix: add missing deleting beans for organizations (#11699) 2026-03-17 09:11:52 +01:00
packages [v15.0/forgejo] test: fix intermittent test failure in TestPackageDebianConcurrent (#11998) 2026-04-06 03:39:53 +02:00
pull [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 2026-04-29 05:28:56 +02:00
redirect chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
release fix: don't trip deleting attachment with missing permission error (#11642) 2026-03-12 20:29:10 +01:00
remote chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
repository [v15.0/forgejo] fix(ui): allow creating files with name starting with dash (#12215) 2026-04-21 20:34:37 +02:00
secrets feat: allow renaming and replacing secrets (#11732) 2026-03-23 03:30:02 +01:00
shared/automerge fix: suppress false-positive error log when PR is already in the automerge queue (#9784) 2025-10-21 08:19:33 +02:00
stats chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
task ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
uinotification chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
user refactor: replace ActionRunnerToken.OwnerID & RepoID with optional.Option[int64] (#11601) 2026-03-10 03:19:16 +01:00
webhook [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
wiki [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00