Skip to content

Add revocation for SSH keys

Igor Drozdov requested to merge id-revoke-ssh-keys into master

What does this MR do and why?

Related issue: #382984 (closed)

If an SSH key is compromised, we need to be able to revoke it to mark all the commits signed by the SSH key as unverified.

SQL query

UPDATE "ssh_signatures" SET "verification_status" = 7, "updated_at" = '2023-01-16 14:20:37.982442' WHERE "ssh_signatures"."key_id" = 10797478

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/14544/commands/51043

 ModifyTable on public.ssh_signatures  (cost=0.29..96.46 rows=70 width=109) (actual time=674.551..674.552 rows=0 loops=1)
   Buffers: shared hit=1074 read=208 dirtied=200 written=2
   I/O Timings: read=646.266 write=0.000
   ->  Index Scan using index_ssh_signatures_on_key_id on public.ssh_signatures  (cost=0.29..96.46 rows=70 width=109) (actual time=4.194..206.325 rows=70 loops=1)
         Index Cond: (ssh_signatures.key_id = 10797478)
         Buffers: shared hit=6 read=64
         I/O Timings: read=205.576 write=0.000
Time: 675.634 ms
  - planning: 1.039 ms
  - execution: 674.595 ms
    - I/O read: 646.266 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 1074 (~8.40 MiB) from the buffer pool
  - reads: 208 (~1.60 MiB) from the OS file cache, including disk I/O
  - dirtied: 200 (~1.60 MiB)
  - writes: 2 (~16.00 KiB)

Screenshots

Screenshot_2023-01-13_at_13.47.01

Screenshot_2023-01-13_at_13.47.22

Edited by Igor Drozdov

Merge request reports