Spoofing commit author for signed commits

HackerOne report #1077019 by subbotin on 2021-01-12, assigned to @rchan-gitlab:

Report | Attachments | How To Reproduce

Report

Summary

Label "Verified" for signed commits not checks email for x509 signs.

Steps to reproduce

Instruction for linux, but it can be useful for reproducing on over OS.

1. Create valid x509 certificate for some email (I use https://www.actalis.it/en/certificates-for-secure-electronic-mail.aspx because it's only one service which makes free mime certs).
2. Import cert to storage gpgsm --import PKCS12_Credential_new@fake.email.pfx
3. Create .gitconfig like

[user]  
	email = new@fake.email  
	name = target_account_on_gitlab_name  
	signingkey = 0xBFD04A72 # (you key id from previous step. can be find by `gpgsm -k`)  
[commit]  
	gpgsign = true  
[gpg]  
	program = gpgsm  

1. make new commit and push it to gitlab.
2. go to page https://gitlab.com/group_name/project_name/-/commits/master and looks on bages
3. for better picture you can change avatar via gravatar.com

Impact

Someone with compromised ssh key but not compromised GPG key or x509 cert.

Examples

https://gitlab.com/mr_tron/test/-/commits/master
You can see on this page two commits:
Both made by me, both has label "Verified". They looks identically (only one difference - link under commit name. one follows on my gitlab account, and second is just "mailto:my@email"). Both commits signed by x509 MIME certificate. Initial commit I signed with my certificate issued to my email denis@subbot.in which I use for registration on gitlab.org, but second commit is signed by certificate issued to random temporary email (not really random - that's my old email, but i never mentioned it on gitlab.org).
Github.com for example in this situation adds label "Unverified". Look on two last commits on this page - https://github.com/mr-tron/test-sign-x509/commits/master

What is the current bug behavior?

Gitlab display commits signed by x509 certificate for any email like Verified
Also it displays login for gitlab users detected based on login in same manner as "user.name" from commit info.

What is the expected correct behavior?

It should should display label "Signed" or "Unverified" and not green color.

Relevant logs and/or screenshots

In attachments.

Output of checks

This bug happens me on gitlab.org

Impact

Attacker can impersonate someone else in gitlab web interface.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2021-01-12_16-28-54.png
• Screenshot_2021-01-12_16-29-43.png

How To Reproduce

Please add reproducibility information to this section: