Unable to add GPG key with extra emails

[samuelallan72]

• Gitea version (or commit ref): dde0052 (via docker image)
• Git version: 2.13.3
• Operating system: Archlinux
• Database (use [x]):
  • PostgreSQL
  • MySQL (mariadb)
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: (couldn't see anything interesting in the log)

Description

I have a self hosted copy of gitea running, and can't add my gpg key to it - I get the following error (emails redacted):

The email attached to the GPG key couldn't be found or is not confirmed yet: email2@example.com

My gpg key lists multiple email addresses (eg. email1@example.com and email2@example.com), and only my primary email address is registered with my gitea account (email1@example.com).

I would expect the behaviour should be that it can add the key no worries, since the primary email address in my account is included in that gpg key.

[lunny]

Add your other email addresses on profile settings?

[samuelallan72]

@lunny I guess, but I was hoping I wouldn't have to do that... :\

[lafriks]

From security point of view all email addresses need to be verified to be able to add GPG key with multiple email addresses as otherwise one could create GPG with his own and other users email address and sign commits in his name and they will be shown as verified.

[samuelallan72]

@lafriks why does Github allow that though? Maybe Gitea should at least allow adding the GPG key, but only display verified if the commit email address is both on the key and verified with your gitea account?

[sapk]

I will have a look at it and do improvement on GPG part this week-end.

[lunny]

fixed by #2266