I believe it is due to the “trust model” of that specific repo (as you are not a member of the org, it may see your signature as suspicious). If you look at that same commit, but under your fork it should verify as valid.
Yeah we can’t safely verify a commit against an unvalidated/unactivated email address - otherwise someone could easily spoof identities. We need to confirm that you have the email address you’re purporting to sign for.
The slight gotcha here is that instead of storing all of the addresses that a key has we only store the ones that are activated at the time of addition meaning that if you add a key and then later activate an address you have to re-add the key or sign a token with the key (thus confirming you have the key) allowing it to match any of the activated addresses we have for you. (Likely we should just store all of the keys and match activated ones at the time of verification but I’ve not had the chance to do that.)
So, funny enough, my problem is similar.
I also cannot verify the signature of a commit, but only occasionally.
Here is a photo that demonstrates the problem:
All the commits under git show a good signature: (I can’t upload more than one pick because I’m a new user)
So, I’m confused…
Gitea: 1.23.7
Git client: Gitbutler
I’ve added my gpg keys (and verified them) and verified my email: (I can’t upload more than one pick because I’m a new user)
I’ve tried all the trust models, nothing works…