Reject multiple PGP signatures for commits (!74095) · Merge requests · GitLab.org / GitLab

Vasilii Iakliushin requested to merge 25616_reject_multiple_signatures into master Nov 09, 2021

What does this MR do and why?

Contributes to #25616

Problem

It is possible to attach multiple PGP signatures to the commit. But git does not support that (see: https://github.com/git/git/commit/da6cf1b3360eefdce3dbde7632eca57177327f37).

Solution

Reject multiple PGP signatures for commits (even if they are valid ones) to match git verify-commit behavior.

Show a pop-up message to describe why we mark the commit as unverified.

Screenshots or screen recordings

How to set up and validate locally

First of all, you need to enable FF multiple_gpg_signatures

Feature.enable(:multiple_gpg_signatures)

I followed this guide to setup the case: https://mgorny.pl/articles/attack-on-git-signature-verification.html (section "Detailed outline of the test case"). My results described here

Another option (easier) is to update status of the existing signature

signature = GpgSignature.last

signature.update(verification_status: "multiple_signatures")

# generate a link to the commit page
commit_sha = signature.commit_sha
project_path = signature.project.full_path

puts "http://localhost:3000/#{project_path}/-/commit/#{commit_sha}"

Then open the link in your browser and click on "Unverified" button next to commit.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 09, 2021 by Vasilii Iakliushin

Reject multiple PGP signatures for commits

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports