search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.8k stars 5.43k forks source link

ComparisonError: Target revision in Git is not signed, but a signature is required #17748

Closed zadjadr closed 7 months ago

zadjadr commented 7 months ago

Checklist:

Describe the bug

I have a project that needs commits to be signed with my gpg key. The commits are signed and argocd recognizes them as signed correctly, but it will not sync; saying "ComparisonError: Target revision ABC123 in Git is not signed, but a signature is required".

To Reproduce

  1. Create a project setting spec.signatureKeys:
  signatureKeys:
    - keyID: 0F5C56E6213A7610
  1. Assign the project to any application
  2. Add the gpg public keys to argoCD

I use a gpg key with subkeys, but the master key is the one used to sign off commits:

sec>  ed25519/0x0F5C56E6213A7610 2023-09-27 [SC] [expires: 2027-09-26]
      Key fingerprint = ABCDEXAMPLE
      Card serial no. = [REDACTED]
uid                   [ultimate] Zadjad Rezai (Yubikey) <me@example.com>
ssb>  ed25519/0x2DF3F777263E3623 2023-09-27 [A] [expires: 2027-09-26]
ssb>  cv25519/0xB9AD23DA0FED45F0 2023-09-27 [E] [expires: 2027-09-26]

When checking the commit in the command line, I see it is signed of correctly:

❯ git verify-commit 1678c91ef521fae5e6d509e115852f42f50112db
gpg: Signature made Thu 04 Apr 2024 05:06:29 PM CEST
gpg:                using EDDSA key ABCDEXAMPLE
gpg: Good signature from "Zadjad Rezai (Yubikey) <me@example.com>" [ultimate]
Primary key fingerprint: ABCDEXAMPLE

Also checking the gpg keyring on the argocd-repo-server, I see that my public key is there:

argocd@argocd-repo-server-67c7cffcf8-tcpwg:~$ GNUPGHOME=/app/config/gpg/keys gpg --list-keys
/app/config/gpg/keys/pubring.kbx
--------------------------------

pub   ed25519 2023-09-27 [SC] [expires: 2027-09-26]
      ABCDEXAMPLE
uid           [ultimate] Zadjad Rezai (Yubikey) <me@example.com>
sub   ed25519 2023-09-27 [A] [expires: 2027-09-26]
sub   cv25519 2023-09-27 [E] [expires: 2027-09-26]

Expected behavior

ArgoCD should sync commits that are signed with the correct signatures.

Screenshots

image

image

Version

{
    "Version": "v2.10.3+0fd6344",
    "BuildDate": "2024-03-13T19:03:00Z",
    "GitCommit": "0fd6344537eb948cff602824a1d060421ceff40e",
    "GitTreeState": "clean",
    "GoVersion": "go1.21.3",
    "Compiler": "gc",
    "Platform": "linux/amd64",
    "KustomizeVersion": "v5.2.1 2023-10-19T20:13:51Z",
    "HelmVersion": "v3.14.2+gc309b6f",
    "KubectlVersion": "v0.26.11",
    "JsonnetVersion": "v0.20.0"
}

Logs

Paste any relevant application logs here.
zadjadr commented 7 months ago

This was solved by restarting the argocd-repo-server and doing a hard refresh on the affected applications..