**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9075
Only validated emails can be used to:
- assert if a signature can be trusted or,
- to assign comments, issues to an existing user during a migration
The emails that were not yet validated could previously used as if they were validated, incorrectly showing commits as trusted or assigning comments, issues to the user associated with this email during migrations.
Existing migrations are not modified when they were incorrectly assigned to an email that is not validated. The trust status of all commit signatures will now show differently depending on the validation status of an email.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9075): <!--number 9075 --><!--line 0 --><!--description ZW5zdXJlIEdldFVzZXJCeUVtYWlsIG9ubHkgY29uc2lkZXJzIHZhbGlkYXRlZCBlbWFpbHM=-->ensure GetUserByEmail only considers validated emails<!--description-->
<!--end release-notes-assistant-->
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9084
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
e777854be0