mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
d3dd397001
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12351 ## Fix: `GET /api/v1/repos/{owner}/{repo}/git/tags/{sha}` returns empty verification for signed tags ### Problem When an annotated tag is signed (GPG or SSH) but the underlying commit is **not** signed, the API endpoint `GET /repos/{owner}/{repo}/git/tags/{sha}` returns an empty `verification.signature` field. This is because `ToAnnotatedTag` was calling `ToVerification(ctx, c)` with the **commit** object, which checks the commit's signature — not the tag's own signature. Since the commit is unsigned, the API returns `signature: ""` and `verified: false`. This causes issues for tools that rely on the tag signature from the API to validate that a tag push event is from a trusted source. ### Fix `ToAnnotatedTag` now checks if the tag has its own signature (`t.Signature != nil`). If so, it uses `ParseTagWithSignature` to verify the tag's signature and populates the `verification` field from the tag. Otherwise, it falls back to the commit signature (existing behavior for unsigned/lightweight tags). Co-authored-by: steven.guiheux <steven.guiheux@ovhcloud.com> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12395 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| action.go | ||
| activity.go | ||
| activitypub_person.go | ||
| activitypub_user_action.go | ||
| attachment.go | ||
| attachment_test.go | ||
| convert.go | ||
| convert_test.go | ||
| git_commit.go | ||
| git_commit_test.go | ||
| issue.go | ||
| issue_comment.go | ||
| issue_test.go | ||
| main_test.go | ||
| mirror.go | ||
| notification.go | ||
| package.go | ||
| pull.go | ||
| pull_review.go | ||
| pull_test.go | ||
| quota.go | ||
| release.go | ||
| release_test.go | ||
| repository.go | ||
| status.go | ||
| user.go | ||
| user_test.go | ||
| utils.go | ||
| utils_test.go | ||
| wiki.go | ||