X.509 signature badge is not displayed if the certificate isn't in the DB
Summary
When commit signatures are signed with X.509, we don't return any verification status if we don't already have the X.509 certificate in the database.
Instead of doing this, we should show an unverified status and explain that we don't recognize the X.509 certificate.
Steps to reproduce
-
Create a copy of https://gitlab.com/brendan/website inside your GDK.
-
Run these commands in the rails console
Feature.disable(:rugged_find_commit) # Rugged doesn't know how to handle X.509 project = Project.find(id_of_your_copy_project) raw = Gitlab::Git::Commit.find(project.repository.raw_repository, '6da2d393ba0df8e4cdf6ccb362bdba4aacc840a1') commit = Commit.new(raw, project)
-
This results in unexpected behavior where the commit has a signature, but
commit.signature
returns nil:[11] pry(main)> commit.has_signature? => true [12] pry(main)> commit.signature => nil
What is the current bug behavior?
When the X.509 certificate is not known, we don't show any indication that the commit is signed.
What is the expected correct behavior?
If the commit has a signature, and we can't perform verification steps, then we should show an Unverified
badge.
Relevant logs and/or screenshots
Possible fixes
- Make the
x509_certificate
relationship on X.509 signatures optional - If we can't find the certificate that the commit was signed with, we should still persist a X509CommitSignature record, but with an
unverified
status
Edited by Brian Williams