Revoked UIDs in GPG keys are still shown as verified/unverified in the GitLab UI
Summary
When adding a GPG key that has revoked UIDs, these UIDs are still shown in the UI as being verified
/unverified
.
Steps to reproduce
Create a new GPG key, add a second UID and revoke one of the UIDs:
$ gpg --gen-key
$ gpg --edit-key <your key id>
gpg> adduid
gpg> uid 1
gpg> revuid
gpg> save
$ gpg -a --export <your key id> | xclip -i
Now add the key to your GitLab account.
What is the current bug behavior?
When adding a new GPG key to an account, the revoked UIDs are still shown in the UI and can even be verified (see screenshot)
What is the expected correct behavior?
The revoked UIDs should not be listed and especially not be listed as being verified.
Relevant logs and/or screenshots
$ LANG=en gpg --list-options show-unusable-uids --list-keys 0x30D341DD34118D7D
pub rsa2048/0x30D341DD34118D7D 2018-10-07 [SC] [expires: 2020-10-06]
Key fingerprint = AA6D 4F3C 4EE0 003B 7E44 1D18 30D3 41DD 3411 8D7D
uid [ unknown] Jane Doe <jane.doe@example.com>
uid [ revoked] Some Name <mail+gitlab@vbrandl.net>
uid [ revoked] John Doe <john.doe@example.com>
sub rsa2048/0x53691D008B648BCD 2018-10-07 [E] [expires: 2020-10-06]
Only the UID for "Jane Doe" is active. Still after adding the key, the UI shows the following:
Output of checks
This bug happens on GitLab.com
Further Notes
At least when signing commits and having verified only a revoked UID, the commit is shown as being Unverified
: vbrandl/test-invalid-uid@8654ab0a