fix(actions): make artifact signature payloads unambiguous #146
Closed
opened 2026-05-24 08:22:03 +00:00 by jmiller
·
0 comments
No Branch/Tag Specified
main
fix/220-actions-deadlock-retry
dev
rc/05.05.00
fix/wiki-slug-polish
fix/require2fa-import
fix/wiki-smart-filenames
feat/208-org-2fa-requirement
fix/207-http-content-render
rc/05.04.00
feat/login-notifications
rc/05.03.08
fix/help-footer-login-logo
fix/help-link-always-visible
rc/05.03.06
fix/missing-dashboard-icon
rc/05.03.05
fix/admin-nav-css
rc/05.03.04
fix/admin-nav-left-align
rc/05.03.03
fix/admin-nav-alignment
rc/05.03.02
fix/checksum-per-file
rc/05.03.01
rc/05.03.00
feat/rebrand-locale-mokogitea
rc/05.02.02
rc/05.02.01
rc/05.02.00
fix/183-org-sidebar
feat/181-admin-branding
rc/05.01.02
feat/auto-update-xml
rc/05.01.01
feat/deploy-maintenance-mode
rc/05.01.00
feat/release-sha-checksums
feat/update-checker-channels
feat/132-namespace-separation
feat/test-rc-workflow
rc/04.01.00
fix/security-backports
feat/upstream-bug-sync
fix/upstream-v1.26.2-backports
fix/136-actions-concurrency-nil-panic
feat/ntfy-integration
feat/badge-engine
feat/prometheus-metrics
feat/update-checker
alpha
beta
feature
version
feat/custom-logo
v1.26.1-moko.05.05.00
v1.26.1-moko.05.01.02-rc.219
v1.26.1-moko.05.04.00
v1.26.1-moko.05.01.02-rc.210
v1.26.1-moko.05.01.02-rc.206
v1.26.1-moko.05.01.02-rc.203
v1.26.1-moko.05.00.00-rc.201
v1.26.1-moko.05.00.00-rc.199
v1.26.1-moko.05.00.00-rc.197
v1.26.1-moko.05.00.00-rc.195
v1.26.1-moko.05.01.02-rc.193
v1.26.1-moko.05.00.00-rc.193
v1.26.1-moko.05.00.00-rc.192
v1.26.1-moko.05.00.00-rc.191
v1.26.1-moko.05.00.00-rc.190
v1.26.1-moko.05.00.00-rc.189
v1.26.1-moko.05.00.00-rc.187
v1.26.1-moko.05.00.00-rc.186
v1.26.1-moko.05.02.00
v1.26.1-moko.05.00.00-rc.185
v1.26.1-moko.05.01.02
v1.26.1-moko.05.00.00-rc.180
v1.26.1-moko.05.01.01
v1.26.1-moko.05.00.00-rc.178
v1.26.1-moko.05.01.00
v1.26.1-moko.05.00.00-rc.176
v1.26.1-moko.05.00.00
v1.26.1-moko.04.01.00-rc.170
v1.26.1-moko.04.01.00
v1.26.1-moko.04.00.00
v1.25.5-moko.1
v1.26.1
v1.26.0
v1.26.0-rc0
v1.27.0-dev
v1.25.5
v1.25.4
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
breaking-change
ci-cd
config
dependencies
deploy-failure
docker
documentation
good first issue
health-check
help wanted
mokostandards
pending: testing
priority: critical
priority: high
priority: low
priority: medium
push-failure
security
size/l
size/m
size/s
size/xl
size/xs
standards-drift
standards-update
status: blocked
status: in-progress
status: needs-review
status: on-hold
status: wontfix
sync-failure
type: bug
type: bug
type: chore
type: enhancement
type: feature
type: refactor
type: version
upstream
work-in-progress
bug
chore
documentation
enhancement
feature
pending: dependency
pending: deployment
pending: design
pending: documentation
pending: feedback
pending: review
pending: testing
priority: critical
priority: high
priority: low
priority: medium
refactor
roadmap
scope: client
scope: dolibarr
scope: infrastructure
scope: joomla
scope: waas
security
status: blocked
status: duplicate
status: in-progress
status: needs-review
status: wontfix
Breaking API or behavior change
CI/CD pipeline changes
Configuration changes
Dependency updates
Deployment failed
Docker/container changes
Documentation changes
Good for newcomers
Repo health check result
Extra attention needed
Related to MokoStandards framework
Feature implemented but not yet tested with documented proof
Must fix immediately
Important, fix soon
Nice to have
Normal priority
Git push operation failed
Security vulnerability or hardening
200-500 lines changed
50-200 lines changed
10-50 lines changed
500+ lines changed
< 10 lines changed
Deviates from MokoStandards
MokoStandards compliance update
Blocked by dependency or decision
Actively being worked on
Awaiting code review
Paused intentionally
Will not be addressed
Sync or mirror failed
Something isn't working
Maintenance, dependencies, cleanup
Improvement to existing feature
New functionality
Code restructuring without behavior change
Version bump or release
Draft or incomplete work
Something is not working
Maintenance and housekeeping
Documentation improvements
Improvement to existing functionality
New feature or request
Blocked by another issue or external dependency
Tested and approved, awaiting deployment to production
Needs UI/UX or architecture design before implementation
Feature works, needs documentation/wiki update
Awaiting feedback or decision from stakeholder
Implementation complete, awaiting code review
Feature implemented but not yet tested
Must fix immediately
Should fix soon
Nice to have
Fix when convenient
Code restructuring without behavior change
Planned feature or enhancement tracked on the roadmap
Client-specific work
Dolibarr modules and customizations
Server, CI, backups, monitoring
Joomla templates and extensions
MokoWaaS platform
Security vulnerability or hardening
Waiting on external dependency
Duplicate of another issue
Being worked on
Ready for review
Will not be addressed
Milestone
No items
No Milestone
Projects
Clear projects
No projects
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: MokoConsulting/MokoGitea#146
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Replaces concatenation-style HMAC signing with unambiguous binary payload for artifact URLs. Prevents potential signature confusion attacks.
Upstream Reference
Severity: Medium
Security hardening for artifact URL signing.
Action
Cherry-pick from upstream
release/v1.26.Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com