Skip to content

Consider all emails when determining verification status

Jerry Seto requested to merge 336677-multiple-emails-from-for-certificates into master

What does this MR do and why?

Consider all emails when determining verification status

  • Adds an emails column to x509_certificates
  • Writes to emails when creating new x509_certificates
  • Check all emails against user email for verification status

Contributes to: #336677 (closed)

How to set up and validate locally

Set up CA cert

  1. openssl genrsa -out ca.key 4096
  2. openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GitLab
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:gitlab

Set up end-entity cert

  1. openssl genrsa -out git.key 4096
  2. openssl req -new -key git.key -subj "/C=US/ST=California/L=San Francisco/O=dev/CN=gitlab" -out git.csr
openssl x509 -req -days 3650 -in git.csr -CA ca.crt -CAkey ca.key -extfile <(
    echo "subjectAltName = DNS:gitlab.test,email:test@example.com,email:test2@example.com"; \
    echo "keyUsage = critical,digitalSignature"
    echo "subjectKeyIdentifier = hash"
    echo "authorityKeyIdentifier = keyid"
    echo "crlDistributionPoints=DNS:gitlab.test,URI:http://example.com/crl.pem"
    ) -set_serial 1 -out git.crt```

Import keys into gpgsm and add to trustlist

  1. openssl pkcs12 -export -inkey git.key -in git.crt -name test -out git.p12
  2. openssl pkcs12 -export -inkey ca.key -in ca.crt -name test2 -out ca.p12
  3. gpgsm --import ca.p12
  4. gpgsm --import git.p12
  5. gpgsm --list-keys
  6. Add the sha1 fpr to ~/.gnupg/trustlist.txt (e.g echo "D9:C1:01:4C:72:00:0A:9B:CC:69:A0:E2:AD:2D:2A:18:60:CC:64:F8 S relax" >> ~/.gnupg/trustlist.txt) for the last 2 keys just imported

Have gpgsm ignore crl

echo "disable-crl-checks" >> ~/.gnupg/gpgsm.conf

Set up GDK to use the CA cert we generated

in a rails console:

  1. Feature.enable(:x509_forced_cert_loading)

in the gdk directory:

  1. echo "export SSL_CERT_FILE=path to ca.crt" >> env.runit
  2. gdk restart rails-web

Set up a project

  1. Create a project
  2. Create a user with email test2@example.com
  3. Clone the project
  4. Configure the git client to sign commits
  5. git config user.email test2@example.com
  6. git config user.signingkey (use the last ID from gpgsm --list-keys looks like 0x60CC64F8)
  7. git config gpg.program gpgsm
  8. git config gpg.format x509
  9. restart gpg-agent (gpgconf --kill gpg-agent)
  10. make some changes and commit with signature(e.g echo test > test && git add test && git commit -m "test" -S)
  11. Push changes
  12. Look at the commits just pushed (e.g http://gdk.test:3000/root/test-signatures/-/commits/branch_name) and see that there is a Verified badge next to the signed commit

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #336677 (closed)

Edited by Jerry Seto

Merge request reports