Fix X.509 certificate creation with blank email addresses (!201887) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Sentry error: https://new-sentry.gitlab.net/organizations/gitlab/issues/1832009

ActiveRecord::RecordInvalid: Validation failed: Email can't be blank, Email is invalid (ActiveRecord::RecordInvalid)
  from active_record/validations.rb:84:in `raise_validation_error'
  from active_model/validations.rb:412:in `validate!'
  from app/models/application_record.rb:71:in `block in safe_find_or_create_by!'
  from <internal:kernel>:90:in `tap'
  from app/models/application_record.rb:68:in `safe_find_or_create_by!'
  from active_record/relation/delegation.rb:122:in `public_send'
  from active_record/relation/delegation.rb:122:in `block in method_missing'
  from active_record/relation.rb:939:in `_scoping'
  from active_record/relation.rb:467:in `scoping'
  from active_record/relation/delegation.rb:122:in `method_missing'
  from app/models/x509_certificate.rb:33:in `safe_create!'
  from lib/gitlab/x509/signature.rb:27:in `x509_certificate'
  from lib/gitlab/x509/commit.rb:20:in `attributes'

Problem

X.509 signature verification fails with ActiveRecord::RecordInvalid when certificates contain blank email addresses in subjectAltName.

Solution

Add email validation to return nil when certificate_email is blank.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Aug 19, 2025 by Vasilii Iakliushin

Fix X.509 certificate creation with blank email addresses

What does this MR do and why?

MR acceptance checklist

Merge request reports