WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.

[prologic]

Hi 👋

Wondering if we can revisit a problem I've run into, which I'm quite sure is something I'm doing wrong!

Previous issues that are similar (but different): #2401 and #10420

In my case $ git log -v -p --show-signature shows a correct signature:

$ git log -v -p --show-signature
commit 02e2aebc49d793fa2100a3504cf8b991d4e384ac (HEAD -> master, origin/master)
gpg: Signature made Tue Jul 13 08:34:57 2021 AEST
gpg:                using RSA key C1F16643ADFF61B4A39EA3FEAC4C014F1440EBD6
gpg: Good signature from "James Mills (Public) <prologic@shortcircuit.net.au>" [ultimate]
Author: James Mills <prologic@shortcircuit.net.au>
Date:   Tue Jul 13 08:34:56 2021 +1000

    Remove Github workflows

And my Gitea server instance is running in UTC:

$ docker ps | grep gitea
f498ca1c4cc9   gitea/gitea:1.14.4                           "/usr/bin/entrypoint…"   2 days ago     Up 2 days     22/tcp, 3000/tcp         gitea_server.1.8ltljg9k4ah4phybh7qg7sbe5
$ docker exec -i -t f498ca1c4cc9 date
Tue Jul 13 00:27:38 UTC 2021

I'm running Gita 1.14.4 with a SQLite database (although that probably means nothing here).

I can see that basically we're falling thorugh this section of code:

gitea/models/gpg_key.go

Lines 609 to 615 in e0296b6

	// This is a bad situation ... We have a key id that is in our database but the signature doesn't match.
	return &CommitVerification{
	CommittingUser: committer,
	Verified: false,
	Warning: true,
	Reason: BadSignature,
	}

Though I don't yet fully understand what we're doing here (yet), been a while since I've worked with GPG using Go.

Any hints would be appreicated!

See: https://git.mills.io/prologic/tube/commit/02e2aebc49d793fa2100a3504cf8b991d4e384ac

[techknowlogick]

closing as dupe of #16344