Skip to content

GPG-signed commit appear as "Unverified", but commits signed by the same key has always been "Verified"

Summary

GPG-signed commits using verified key appear as "Unverified", but previously they correctly appear as "Verified".

Steps to reproduce

This is only how I produced the problem. I've no idea whether this is reproducible.

  1. Upload valid GPG key to Profile -> Settings; make sure the commit e-mails are verified by GitLab.com
  2. Sign some commits using it; push to GitLab.com
  3. It used to be that the commits would be correctly shown as "Verified", but after pushing to one of my repos hosted here I found the head commit "Unverified", even though it was signed using exactly the same key!

Example Project

I tried (congma/test-gitlab.com-verified-commits) but wasn't able to reproduce this.

What is the current bug behavior?

The current buggy behaviour can be observed here, in this commit: congma/libsncompress@231ec80f

What is the expected correct behavior?

It should appear as "Verified", as it is here, in a parent commit signed with the same key: congma/libsncompress@ef33bfb2

Relevant logs and/or screenshots

In the following output the actual emails are censored. These are emails added and verified by GitLab.com

The relevant key in question (the signing subkey is the one used here, an EDDSA key):

$ gpg --list-key 0x9D45A4C572263E66
pub   ed25519/0x9D45A4C572263E66 2017-04-13 [C] [expires: 2022-04-12]
      Key fingerprint = 0620 5656 EF5C 93C7 D277  C7F1 9D45 A4C5 7226 3E66
uid                   [ultimate] Cong Ma <xxxx>
uid                   [ultimate] Cong Ma (don't send emails) <xxxx>
uid                   [ultimate] Cong Ma <xxxx>
uid                   [ultimate] Cong Ma <xxxx>
sub   ed25519/0xE977A6E990102402 2017-04-13 [S] [expires: 2019-04-13]
sub   rsa4096/0xBC6299884E2EDD7E 2017-04-13 [E] [expires: 2019-04-13]
sub   ed25519/0x4FD635F3691D0A23 2017-04-13 [A] [expires: 2019-04-13]

The "unverified" commit, which should have been verified, as it appears locally:

$ git log --show-signature
commit 231ec80f39507986100bf83ac0639016bfc814ee (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Sun Mar 11 17:19:05 2018 GMT
gpg:                using EDDSA key 41BA4780B00B3C469A278DDEE977A6E990102402
gpg: Good signature from "Cong Ma <xxxx>" [ultimate]
gpg:                 aka "Cong Ma (don't send emails) <xxxx>" [ultimate]
gpg:                 aka "Cong Ma <xxxx>" [ultimate]
gpg:                 aka "Cong Ma <xxxx>" [ultimate]
Primary key fingerprint: 0620 5656 EF5C 93C7 D277  C7F1 9D45 A4C5 7226 3E66
     Subkey fingerprint: 41BA 4780 B00B 3C46 9A27  8DDE E977 A6E9 9010 2402
Merge: 2c51743 ef33bfb
Author: Cong Ma <xxxx> 
Date:   Sun Mar 11 17:19:03 2018 +0000

    Merge branch 'more-tests'

Screen shot of how the "Commits" page appear as a result of this problem:

Screen_Shot_2018-03-11_at_18.18.25

Output of checks

This bug happens on GitLab.com

Additional information

The key in question, 0xE977A6E990102402 (signing subkey) / 0x9D45A4C572263E66 (main key), used to have a user (e-mail) associated with it that was not a verified e-mail of my profile on GitLab.com. The actual commit e-mail (also an uid associated with the key) has however been a verified e-mail of my profile. Such settings never caused any GPG-verification problem before.

After seeing this problem I verified the remaining e-mail (i.e. added it to GitLab.com profile settings and visited the verification URL received from it). I've no idea if this has any side-effects.

Perhaps related:

  • #36829 (closed) (closed) GPG commit not verified if signed with a subkey
  • #36941 (moved) GPG signature verification fails or only partly verifies (first few commits)
  • #37966 (moved) GPG-signed commits were verified, now they appear as unverified