feat: x509 signed commits using openssl
-
Review changes -
-
Download -
Patches
-
Plain diff
What does this MR do?
This MR provides basic support for x509 signed commits as proposed within #24512 (closed) and #29782 (closed).
Main difference in comparision to gpg:
- trust anchor is the certificate authority not a verified key
- no specific key uploaded by the user
- verification status could be one of the following
- verified: email within x509 certificate equals committer email and ca is trusted
- unverified: email within x509 certificate does not match committer email or ca is not trusted or signature invalid
- verification can be done using plain OpenSSL functionality or via gpgsm
- my initial approach was using gpgsm, however the formats and concepts of x509 and gpg keys differ heavily and requires a lot of workarounds when using gpgsm, beside of the additional complexity at the code level gpp does require a lot of local configuration. This will make it error prone and reduce the operatability significantly
- the openssl native approach is much simpler from an implementation, maintenance and operations point of view
Approach:
-
add a new Gitlab::SignedCommit
class containing has_signature?, signature_type and signature_data extract function -
add a new Gitlab::X509::Commit
class similar toGitlab::Gpg::Commit
-
verify x509 signature using OpenSSL and the default certs ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
-
add a worker to update the x509 signatures, similar to this one https://gitlab.com/gitlab-org/gitlab/blob/master/app/workers/create_gpg_signature_worker.rb (moved to #122159 (closed)) -
create a follow-up issue for CRL handling (#122159 (closed)) -
Create follow-up for tag handling (#122157 (closed)), currently blocked by gitaly#2120 (closed)
Further reading:
- Git upstream support for x509 signed commits from my team mate Henning Schild, see https://public-inbox.org/git/20180706011834.GD7697@genre.crustytoothpaste.net/
- GitHub Announcement: https://github.blog/changelog/2018-09-10-smime-signature-verification/
- GitHub Help: https://help.github.com/en/articles/about-commit-signature-verification#smime-commit-signature-verification
The MR we made to introduce GPG signed commits within GitLab:
Samples of SMIME signed commits:
-
https://gitlab.com/gitlab-org/gitlab-test/commits/smime-signed-commits , requires http://www.siemens.com/pki/ZZZZZZA1.crt as pem file(
openssl x509 -inform DER -outform PEM -in ZZZZZZA1.crt -out ZZZZZZA1.pem
) within cert file located atruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
- signed tag: https://gitlab.com/gitlab-org/gitlab-test/-/tags/v1.1.1
Screenshots
Database
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖
Merge request reports
Compare and
Show latest version
- version 115c3243ad9
- version 11412b0516b
- version 113b32bf0ea
- version 1122ea69f11
- version 111d58374a3
- version 110567d70da
- version 109da43e388
- version 10876ef3439
- version 1076f04c52c
- version 106e5dac96f
- version 10536241525
- version 1043232729c
- version 1034ff5881f
- version 1020b2dec9f
- version 10173d70f1b
- version 100b2cee253
- version 99456e05c7
- version 980b36d579
- version 9793419b07
- version 96ac6c9ae5
- version 957871b354
- version 945972f1c2
- version 930adbd073
- version 92eb2b2825
- version 911d448997
- version 902c3da04e
- version 89a6b5a83a
- version 888e3a43e9
- version 873e01f22c
- version 86746d5225
- version 85c4ee797b
- version 84ee2eeeb3
- version 8345fcee56
- version 8288a364f0
- version 81c59b6d9b
- version 805dd3a21f
- version 79a2b889da
- version 78d9ab7e5f
- version 77390f6ee9
- version 766c2f7df8
- version 758aea9282
- version 74f8e0c821
- version 73c4a185a7
- version 72f01d43ab
- version 7139521496
- version 7007fcf5ef
- version 693bf30f7c
- version 68e45e84b2
- version 6733486dbc
- version 6696e19c1e
- version 65c272689b
- version 64ba23bb24
- version 637c1cd2ae
- version 62c365fdae
- version 615947f197
- version 6022e7cf60
- version 59c9ccf7a8
- version 5880aebec2
- version 57cd4aec5f
- version 5615a94748
- version 55c92f4177
- version 543f48b354
- version 530b291a7c
- version 523afb092d
- version 5145b39965
- version 50338f9034
- version 49ab81d0f7
- version 488a498c7f
- version 4752b01796
- version 460d6319e1
- version 45175483a4
- version 44f11a0fdd
- version 43bbb0b4f7
- version 42ba792559
- version 413178f237
- version 408d51e783
- version 39771b39e7
- version 38c01a085f
- version 375148b957
- version 362f512985
- version 355269fab9
- version 348df559bc
- version 3340b79c55
- version 32455bedf8
- version 31b04a3e58
- version 30c96c462f
- version 29bfb56cb3
- version 2862563127
- version 276e2b35e0
- version 264d3c00f6
- version 2584252666
- version 24ef6868b2
- version 23a27b956f
- version 2219f2132f
- version 2170731f13
- version 207147e190
- version 19532b6a6f
- version 18e74b8c93
- version 17681a2123
- version 16583af232
- version 155c070896
- version 14cb43488a
- version 131518ec14
- version 129bc0823c
- version 11c2d8fdea
- version 104fce6ed9
- version 9122e9c4f
- version 82cb92ed9
- version 70333f5a8
- version 65eb4dfa2
- version 56cf3bbaf
- version 4df020131
- version 3886f4be0
- version 28adce155
- version 190680f26
- master (base)
- latest version752c3e4d2 commits,
- version 115c3243ad92 commits,
- version 11412b0516b1 commit,
- version 113b32bf0ea2 commits,
- version 1122ea69f111 commit,
- version 111d58374a33 commits,
- version 110567d70da1 commit,
- version 109da43e3889 commits,
- version 10876ef34398 commits,
- version 1076f04c52c6 commits,
- version 106e5dac96f5 commits,
- version 105362415254 commits,
- version 1043232729c3 commits,
- version 1034ff5881f2 commits,
- version 1020b2dec9f1 commit,
- version 10173d70f1b11 commits,
- version 100b2cee25310 commits,
- version 99456e05c79 commits,
- version 980b36d5796 commits,
- version 9793419b075 commits,
- version 96ac6c9ae54 commits,
- version 957871b3543 commits,
- version 945972f1c22 commits,
- version 930adbd0731 commit,
- version 92eb2b28251 commit,
- version 911d448997105 commits,
- version 902c3da04e104 commits,
- version 89a6b5a83a98 commits,
- version 888e3a43e997 commits,
- version 873e01f22c96 commits,
- version 86746d522595 commits,
- version 85c4ee797b94 commits,
- version 84ee2eeeb393 commits,
- version 8345fcee5692 commits,
- version 8288a364f091 commits,
- version 81c59b6d9b87 commits,
- version 805dd3a21f86 commits,
- version 79a2b889da85 commits,
- version 78d9ab7e5f85 commits,
- version 77390f6ee984 commits,
- version 766c2f7df883 commits,
- version 758aea928282 commits,
- version 74f8e0c82181 commits,
- version 73c4a185a780 commits,
- version 72f01d43ab78 commits,
- version 713952149676 commits,
- version 7007fcf5ef75 commits,
- version 693bf30f7c74 commits,
- version 68e45e84b271 commits,
- version 6733486dbc70 commits,
- version 6696e19c1e70 commits,
- version 65c272689b68 commits,
- version 64ba23bb2467 commits,
- version 637c1cd2ae66 commits,
- version 62c365fdae65 commits,
- version 615947f19764 commits,
- version 6022e7cf6064 commits,
- version 59c9ccf7a864 commits,
- version 5880aebec263 commits,
- version 57cd4aec5f62 commits,
- version 5615a9474861 commits,
- version 55c92f417759 commits,
- version 543f48b35458 commits,
- version 530b291a7c57 commits,
- version 523afb092d56 commits,
- version 5145b3996555 commits,
- version 50338f903455 commits,
- version 49ab81d0f754 commits,
- version 488a498c7f53 commits,
- version 4752b0179653 commits,
- version 460d6319e152 commits,
- version 45175483a452 commits,
- version 44f11a0fdd51 commits,
- version 43bbb0b4f751 commits,
- version 42ba79255950 commits,
- version 413178f23749 commits,
- version 408d51e78349 commits,
- version 39771b39e746 commits,
- version 38c01a085f45 commits,
- version 375148b95744 commits,
- version 362f51298543 commits,
- version 355269fab944 commits,
- version 348df559bc44 commits,
- version 3340b79c5544 commits,
- version 32455bedf843 commits,
- version 31b04a3e5844 commits,
- version 30c96c462f36 commits,
- version 29bfb56cb335 commits,
- version 286256312734 commits,
- version 276e2b35e033 commits,
- version 264d3c00f632 commits,
- version 258425266631 commits,
- version 24ef6868b230 commits,
- version 23a27b956f29 commits,
- version 2219f2132f26 commits,
- version 2170731f1325 commits,
- version 207147e19023 commits,
- version 19532b6a6f22 commits,
- version 18e74b8c9321 commits,
- version 17681a212319 commits,
- version 16583af23218 commits,
- version 155c07089617 commits,
- version 14cb43488a14 commits,
- version 131518ec1413 commits,
- version 129bc0823c12 commits,
- version 11c2d8fdea11 commits,
- version 104fce6ed910 commits,
- version 9122e9c4f9 commits,
- version 82cb92ed98 commits,
- version 70333f5a87 commits,
- version 65eb4dfa26 commits,
- version 56cf3bbaf6 commits,
- version 4df0201315 commits,
- version 3886f4be04 commits,
- version 28adce1553 commits,
- version 190680f261 commit,
1 file
+ 4
− 2
Compare changes
- Side-by-side
- Inline
+ 4
− 2
@@ -122,8 +122,10 @@ def initialize(raw_commit, project)
Loading