Wrong GPG verified status or username on commits page #930

nkr commented 2023年02月09日 09:21:53 +01:00

#	git name	git email	signed by	codeberg colour	expected colour
1	nkr	nkr@noreply.codeberg.page	nkr	Green	Green
2	nkr	nkr@noreply.codeberg.page	gayathri	Orange	Orange
3	nkr	gayathri@noreply.codeberg.page	gayathri	Green	Orange
4	gayathri	gayathri@noreply.codeberg.page	nkr	Orange	Orange
5	gayathri	nkr@noreply.codeberg.page	nkr	Green	Orange

The commits in the table above are from this repo. The issue is that commits 3 and 5 appear in the list as made by nkr and gayathri with verified signatures, but they are not signed by those users. 3 is signed by gayathri and 5 by nkr.

Essentially, user B can set their codeberg picture to A's picture and git user.name to A's name, but user.email to B's and sign with B's keys, to get a commit that looks like from A with verified status. You have to actively click either the committer name (which will take you to B's profile) or open the commit to see that the committer is not who they pretend to be.

IMO the issue is not with the verified status. After all, the commit signature and user.email matches. The issue is that codeberg (or gitea) shows user.name from git in the commits page instead of the registered codeberg username that matches with user.email and the signature.

git's user.name should be used only if a registered user cannot be found with user.email.

| # | git name | git email | signed by | codeberg colour | expected colour | | ---------------------------------------------------------------------------------- | -------- | ------------------------------ | --------- | --------------- | --------------- | | [1](https://codeberg.org/nkr/test/commit/095ba8f589785dcc2526bac41f54e22f5229945e) | nkr | nkr@noreply.codeberg.page | nkr | Green | Green | | [2](https://codeberg.org/nkr/test/commit/c2df3ca5934afe3727f9d80fa4f5c90eb9c43b24) | nkr | nkr@noreply.codeberg.page | gayathri | Orange | Orange | | [3](https://codeberg.org/nkr/test/commit/99c8384b7835be882198205563a3a45baabac5d9) | nkr | gayathri@noreply.codeberg.page | gayathri | Green | Orange | | [4](https://codeberg.org/nkr/test/commit/9a5290607511927ad92edbcb9125c26855e38fcd) | gayathri | gayathri@noreply.codeberg.page | nkr | Orange | Orange | | [5](https://codeberg.org/nkr/test/commit/ee258d3ee9f997019d48441bd0f108d56c5a3cba) | gayathri | nkr@noreply.codeberg.page | nkr | Green | Orange | The commits in the table above are from [this repo](https://codeberg.org/nkr/test/commits/branch/main). The issue is that commits 3 and 5 appear in the list as made by `nkr` and `gayathri` with verified signatures, but they are not signed by those users. 3 is signed by `gayathri` and 5 by `nkr`. Essentially, user B can set their codeberg picture to A's picture and git user.name to A's name, but user.email to B's and sign with B's keys, to get a commit that looks like from A with verified status. You have to actively click either the committer name (which will take you to B's profile) or open the commit to see that the committer is not who they pretend to be. IMO the issue is not with the verified status. After all, the commit signature and user.email matches. The issue is that codeberg (or gitea) shows user.name from git in the commits page instead of the registered codeberg username that matches with user.email and the signature. git's user.name should be used only if a registered user cannot be found with user.email.