Cannot verify GPG key signature generated from Windows

[jin-qin]

Description

[!IMPORTANT] When I used Git Bash to generate the GPG key, it worked.

To reproduce:

1. Using gpg (downloaded form https://gnupg.org/download/) on windows to generate ECC or RSA GPG key (run gpg --full-generate-key).
2. Export the generated GPG public key and add it into the self-host Gitea user account.
3. Then click Verify button, run echo "<token-generated-by-gitea>" | gpg -a --default-key <key-id> --detach-sig
4. Got an error said The provided GPG key, signature and token do not match or token is out-of-date.

GPG version

gpg (GnuPG) 2.4.4
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Gitea Version

1.22.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.25.1

Operating System

Ubuntu 20.04.3

How are you running Gitea?

Through Docker

Database

SQLite

[yp05327]

I tried this, and it worked. One thing is different. In step 3, it is a bash command, how did you execute it in Windows? I adjust it to:

./gpg.exe -a --default-key <key-id>--detach-sig <file-which-contains-token-generated-by-gitea>

Then it will generate a *.asc file in the same folder, then copy the content, and verify.

ps: once it failed, it seems that the token generated by gitea will be changed, you should update it. ps: I can only download 2.4.5 now, there should (maybe) have no big differences I think.

[GiteaBot]

We close issues that need feedback from the author if there were no new comments for a month. :tea: