## Problem to solve As certificates can revoked (after a commit signature has been verified), we should reset the commit verification status as the certificate used to sign the commit is no longer trustworthy. Certificates can be revoked for a variety of reasons, including - private key is compromised - mis-use of certificate ## Background based on !17773 certificate revocation shall be handled for x509 signed commits, see https://gitlab.com/gitlab-org/gitlab/merge_requests/17773#note_241058311 ## Proposal * [-] ~~Adopt `app/workers/update_x509_signature_worker.rb` (feature flag `:update_x509_signature_worker`) [update_signature_worker.diff](/uploads/0642370a88779811af2332ba793e216a/update_signature_worker.diff)~~ * [x] Add rake task to update signatures in case of changed trust store => !28406 * [ ] download crl and set certificate_status if certificate is revoked => !28336 * [x] Revoked is a certificate detail, so we might just display "revoked" within the certificate details and set the verification status to unverified !24889 ```ruby require 'openssl' def check_crl (crl_file, serials) revoked_serials = [] crl = OpenSSL::X509::CRL.new(crl_file) puts "crl last_update : " + crl.last_update.to_s puts "crl next_update : " + crl.next_update.to_s puts "crl issuer : " + crl.issuer.to_s puts "crl versions : " + crl.version.to_s crl.extensions.each_with_index{|ext, i| puts "crl extenstion : " + ext.oid + '=' + ext.value } crl.revoked().each_with_index{ | rev | if serials.include? rev.serial revoked_serials.push(rev.serial) end } revoked_serials.empty? ? nil : revoked_serials end crl_serials = [ 2139164901, 1810356222 ] puts "Check CRL file without revoked serial" puts check_crl(File.read("ZZZZZZA6__2651.crl"), crl_serials) puts "---------" puts "Check CRL file with revoked serial" puts check_crl(File.read("ZZZZZZA6.crl"), crl_serials) ```