feat: x509 signed commits using openssl

What does this MR do?

This MR provides basic support for x509 signed commits as proposed within #24512 (closed) and #29782 (closed).

Main difference in comparision to gpg:

• trust anchor is the certificate authority not a verified key
• no specific key uploaded by the user
• verification status could be one of the following
  • verified: email within x509 certificate equals committer email and ca is trusted
  • unverified: email within x509 certificate does not match committer email or ca is not trusted or signature invalid
• verification can be done using plain OpenSSL functionality or via gpgsm
  • my initial approach was using gpgsm, however the formats and concepts of x509 and gpg keys differ heavily and requires a lot of workarounds when using gpgsm, beside of the additional complexity at the code level gpp does require a lot of local configuration. This will make it error prone and reduce the operatability significantly
  • the openssl native approach is much simpler from an implementation, maintenance and operations point of view

Approach:

• add a new Gitlab::SignedCommit class containing has_signature?, signature_type and signature_data extract function
• add a new Gitlab::X509::Commit class similar to Gitlab::Gpg::Commit
• verify x509 signature using OpenSSL and the default certs ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
• add a worker to update the x509 signatures, similar to this one https://gitlab.com/gitlab-org/gitlab/blob/master/app/workers/create_gpg_signature_worker.rb (moved to #122159 (closed))
• create a follow-up issue for CRL handling (#122159 (closed))
• Create follow-up for tag handling (#122157 (closed)), currently blocked by gitaly#2120 (closed)

Further reading:

• Git upstream support for x509 signed commits from my team mate Henning Schild, see https://public-inbox.org/git/20180706011834.GD7697@genre.crustytoothpaste.net/
• GitHub Announcement: https://github.blog/changelog/2018-09-10-smime-signature-verification/
• GitHub Help: https://help.github.com/en/articles/about-commit-signature-verification#smime-commit-signature-verification

The MR we made to introduce GPG signed commits within GitLab:

• https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9546

Samples of SMIME signed commits:

• https://gitlab.com/gitlab-org/gitlab-test/commits/smime-signed-commits , requires http://www.siemens.com/pki/ZZZZZZA1.crt as pem file(openssl x509 -inform DER -outform PEM -in ZZZZZZA1.crt -out ZZZZZZA1.pem) within cert file located at ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
• signed tag: https://gitlab.com/gitlab-org/gitlab-test/-/tags/v1.1.1

🔧 with ❤ at Siemens

/cc @dlouzan @henning-schild

Screenshots

Database

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation created/updated or follow-up review issue created
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Performance and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team