Skip to content

feat: smime signed notification emails

Diego Louzán requested to merge siemens/gitlab-ce:feat/smime-signed-notification-emails into master

What does this MR do?

Add a new optional ActionMailer interceptor that signs all outgoing emails with SMIME

  • I checked this configuration working against a dummy gmail account with actual SMTP delivery in gdk; Gmail web and native Outlook on macOS were ok with the SMIME signing.
  • We have identified that letter_opener_web does not play nice with the signed emails, so they cannot currently be checked in development. Opened https://github.com/fgrehm/letter_opener_web/issues/96 to track this (check the attached screenshots in there).
  • Per guidelines, this MR will require another Omnibus MR to add the new configuration options (I'd also say they need to be added to gdk? though this is not documented in https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/settings/gitlab.yml.md)

Corresponding MR on omnibus for the new smime configuration params: omnibus-gitlab!3514 (merged)

Issue for adding new config parameters to k8s chart: https://gitlab.com/charts/gitlab/issues/1533

Issue for supporting eliptic curve keys: https://gitlab.com/gitlab-org/gitlab-ce/issues/66439

The development of this MR is sponsored by siemens (/cc @bufferoverflow).

Does this MR meet the acceptance criteria?

Conformity

Performance and testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Diego Louzán

Merge request reports