Consider all emails when determining verification status
What does this MR do and why?
Consider all emails when determining verification status
- Adds an
emails
column tox509_certificates
- Writes to
emails
when creating new x509_certificates - Check all emails against user email for verification status
Contributes to: #336677 (closed)
How to set up and validate locally
Set up CA cert
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:GitLab
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:gitlab
Set up end-entity cert
openssl genrsa -out git.key 4096
openssl req -new -key git.key -subj "/C=US/ST=California/L=San Francisco/O=dev/CN=gitlab" -out git.csr
openssl x509 -req -days 3650 -in git.csr -CA ca.crt -CAkey ca.key -extfile <(
echo "subjectAltName = DNS:gitlab.test,email:test@example.com,email:test2@example.com"; \
echo "keyUsage = critical,digitalSignature"
echo "subjectKeyIdentifier = hash"
echo "authorityKeyIdentifier = keyid"
echo "crlDistributionPoints=DNS:gitlab.test,URI:http://example.com/crl.pem"
) -set_serial 1 -out git.crt```
Import keys into gpgsm and add to trustlist
openssl pkcs12 -export -inkey git.key -in git.crt -name test -out git.p12
openssl pkcs12 -export -inkey ca.key -in ca.crt -name test2 -out ca.p12
gpgsm --import ca.p12
gpgsm --import git.p12
gpgsm --list-keys
- Add the
sha1 fpr
to~/.gnupg/trustlist.txt
(e.gecho "D9:C1:01:4C:72:00:0A:9B:CC:69:A0:E2:AD:2D:2A:18:60:CC:64:F8 S relax" >> ~/.gnupg/trustlist.txt
) for the last 2 keys just imported
Have gpgsm ignore crl
echo "disable-crl-checks" >> ~/.gnupg/gpgsm.conf
Set up GDK to use the CA cert we generated
in a rails console:
Feature.enable(:x509_forced_cert_loading)
in the gdk directory:
echo "export SSL_CERT_FILE=path to ca.crt" >> env.runit
gdk restart rails-web
Set up a project
- Create a project
- Create a user with email
test2@example.com
- Clone the project
- Configure the git client to sign commits
git config user.email test2@example.com
-
git config user.signingkey
(use the lastID
fromgpgsm --list-keys
looks like0x60CC64F8
) git config gpg.program gpgsm
git config gpg.format x509
- restart gpg-agent (
gpgconf --kill gpg-agent
) - make some changes and commit with signature(e.g
echo test > test && git add test && git commit -m "test" -S
) - Push changes
- Look at the commits just pushed (e.g
http://gdk.test:3000/root/test-signatures/-/commits/branch_name
) and see that there is aVerified
badge next to the signed commit
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #336677 (closed)
Edited by Jerry Seto