Signed git tags have label 'Unverified' despite key being correct and known by GitLab
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
GitLab currently detects git tags that have a signature, but always labels them as Unverified. Example from https://gitlab.com/ottok/debcraft/-/tags
The GitLab data model is aware of user OpenPGP and SSH keys, and when commits are correctly signed, a label will appear that shows Verified when everything is correct. Example from https://gitlab.com/ottok/debcraft/-/commits/main below
If commits are not correctly signed, the label Unverified is shown along with additional details in a pop-over.
Currently for git tags, the label always shows Unverified, which is incorrect.
There are multiple discussions online about this bug, e.g. in https://forum.gitlab.com/t/gpg-signed-tags-are-marked-as-unverified-commits-are-fine/130158.
Related issues and commits
The data model for OpenPGP tag signatures was added in #570530 (closed). Another issue about SSH signed git tags showing Unverified was filed in #555436 (closed) and supposedly fixed via !201444 (merged), but I am not sure if it has been verified as the test cases referred to in #384473 (closed) still show Unverified, so it might be that this bug applies to all signed git tags regardless of key type.