**[HackerOne report #1077019](https://hackerone.com/reports/1077019)** by `subbotin` on 2021-01-12, assigned to @rchan-gitlab: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## Report ##### Summary Label "Verified" for signed commits not checks email for x509 signs. ##### Steps to reproduce Instruction for linux, but it can be useful for reproducing on over OS. 1. Create valid x509 certificate for some email (I use https://www.actalis.it/en/certificates-for-secure-electronic-mail.aspx because it's only one service which makes free mime certs). 1. Import cert to storage `gpgsm --import PKCS12_Credential_new@fake.email.pfx` 1. Create .gitconfig like ``` [user] email = new@fake.email name = target_account_on_gitlab_name signingkey = 0xBFD04A72 # (you key id from previous step. can be find by `gpgsm -k`) [commit] gpgsign = true [gpg] program = gpgsm ``` 1. make new commit and push it to gitlab. 1. go to page https://gitlab.com/group_name/project_name/-/commits/master and looks on bages 1. for better picture you can change avatar via gravatar.com ##### Impact Someone with compromised ssh key but not compromised GPG key or x509 cert. ##### Examples https://gitlab.com/mr_tron/test/-/commits/master You can see on this page two commits: Both made by me, both has label "Verified". They looks identically (only one difference - link under commit name. one follows on my gitlab account, and second is just "mailto:my@email"). Both commits signed by x509 MIME certificate. Initial commit I signed with my certificate issued to my email denis@subbot.in which I use for registration on gitlab.org, but second commit is signed by certificate issued to random temporary email (not really random - that's my old email, but i never mentioned it on gitlab.org). Github.com for example in this situation adds label "Unverified". Look on two last commits on this page - https://github.com/mr-tron/test-sign-x509/commits/master ##### What is the current *bug* behavior? Gitlab display commits signed by x509 certificate for any email like Verified Also it displays login for gitlab users detected based on login in same manner as "user.name" from commit info. ##### What is the expected *correct* behavior? It should should display label "Signed" or "Unverified" and not green color. ##### Relevant logs and/or screenshots In attachments. ##### Output of checks This bug happens me on gitlab.org #### Impact Attacker can impersonate someone else in gitlab web interface. ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2021-01-12_16-28-54.png](https://h1.sec.gitlab.net/a/bdaf53bf-9bc4-48e3-8413-a181b1ba751b/Screenshot_2021-01-12_16-28-54.png) * [Screenshot_2021-01-12_16-29-43.png](https://h1.sec.gitlab.net/a/24390e51-b22e-4d6b-81d8-1de0d0fb220f/Screenshot_2021-01-12_16-29-43.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues