feat: x509 signed commits using openssl

What does this MR do?

This MR provides basic support for x509 signed commits as proposed within #24512 (closed) and #29782 (closed).

Main difference in comparision to gpg:

• trust anchor is the certificate authority not a verified key
• no specific key uploaded by the user
• verification status could be one of the following
  • verified: email within x509 certificate equals committer email and ca is trusted
  • unverified: email within x509 certificate does not match committer email or ca is not trusted or signature invalid
• verification can be done using plain OpenSSL functionality or via gpgsm
  • my initial approach was using gpgsm, however the formats and concepts of x509 and gpg keys differ heavily and requires a lot of workarounds when using gpgsm, beside of the additional complexity at the code level gpp does require a lot of local configuration. This will make it error prone and reduce the operatability significantly
  • the openssl native approach is much simpler from an implementation, maintenance and operations point of view

Approach:

• add a new Gitlab::SignedCommit class containing has_signature?, signature_type and signature_data extract function
• add a new Gitlab::X509::Commit class similar to Gitlab::Gpg::Commit
• verify x509 signature using OpenSSL and the default certs ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
• add a worker to update the x509 signatures, similar to this one https://gitlab.com/gitlab-org/gitlab/blob/master/app/workers/create_gpg_signature_worker.rb (moved to #122159 (closed))
• create a follow-up issue for CRL handling (#122159 (closed))
• Create follow-up for tag handling (#122157 (closed)), currently blocked by gitaly#2120 (closed)

Further reading:

• Git upstream support for x509 signed commits from my team mate Henning Schild, see https://public-inbox.org/git/20180706011834.GD7697@genre.crustytoothpaste.net/
• GitHub Announcement: https://github.blog/changelog/2018-09-10-smime-signature-verification/
• GitHub Help: https://help.github.com/en/articles/about-commit-signature-verification#smime-commit-signature-verification

The MR we made to introduce GPG signed commits within GitLab:

• https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9546

Samples of SMIME signed commits:

• https://gitlab.com/gitlab-org/gitlab-test/commits/smime-signed-commits , requires http://www.siemens.com/pki/ZZZZZZA1.crt as pem file(openssl x509 -inform DER -outform PEM -in ZZZZZZA1.crt -out ZZZZZZA1.pem) within cert file located at ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
• signed tag: https://gitlab.com/gitlab-org/gitlab-test/-/tags/v1.1.1

with at Siemens

/cc @dlouzan @henning-schild

Screenshots

Database

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation created/updated or follow-up review issue created
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Performance and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team

doc/user/project/repository/x509_signed_commits/index.md

+---
+type: concepts, howto
+---
+
+# Signing commits with x509
+
+## How GitLab handles x509
+
+GitLab uses its own certificate store and therefore defines the trust chain.
+
+For a commit to be *verified* by GitLab:
+
+- The *keyUsage* attribute of the signing certificate must contain *Digital Signature*
+- The committer's email address must match the signing certificate email
+- The Certificate Authority has to be trusted by the GitLab instance
+
+> There is no certificate revocation list check in place at the moment.
+
+## Setup x509 code signing
+
+Your git client should be >= 2.19.0.
+
+> Just replace `--local` with `--global` below to configure it globally
+
+### Linux
+
+configure git to use your key for signing
+
+```sh
+signingkey = $( gpgsm --list-secret-keys | egrep '(key usage|ID)' | grep -B 1 digitalSignature | awk '/ID/ {print $2}' )
+git config --local user.signingkey $signingkey
+git config --local gpg.format x509
+```
+
+### Windows and MacOS
+
+Install [smimesign](https://github.com/github/smimesign) by downloading the
+installer or via `brew install smimesign` on MacOS.
+
+Get the ID of your certificate with `smimesign --list-keys` and set your
+signingkey `git config --local user.signingkey ID`, then configure x509:
+
+```sh
+git config --local gpg.x509.program smimesign
+git config --local gpg.format x509
+```
+
+## Sign your code with x509
+
+You can now just use the basic git command to verify and sign, see also
+https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
+
+### Verify
+
+```sh
+git tag -v v0.2
+git log --show-signature
+```
+
+## Sign
+
+```sh
+git commit -S
+```