Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
bab76f76
Commit
bab76f76
authored
Jun 17, 2019
by
David Palubin
Committed by
Nick Thomas
Jun 17, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix GPG signature verification with recent versions of GnuPG
parent
956bf0d2
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
99 additions
and
8 deletions
+99
-8
changelogs/unreleased/issue-58747.yml
changelogs/unreleased/issue-58747.yml
+5
-0
lib/gitlab/gpg/commit.rb
lib/gitlab/gpg/commit.rb
+11
-8
spec/lib/gitlab/gpg/commit_spec.rb
spec/lib/gitlab/gpg/commit_spec.rb
+83
-0
No files found.
changelogs/unreleased/issue-58747.yml
0 → 100644
View file @
bab76f76
---
title
:
Fix GPG signature verification with recent GnuPG versions
merge_request
:
29388
author
:
David Palubin
type
:
fixed
lib/gitlab/gpg/commit.rb
View file @
bab76f76
...
...
@@ -52,12 +52,13 @@ module Gitlab
def
using_keychain
Gitlab
::
Gpg
.
using_tmp_keychain
do
# first we need to get the
keyid
from the signature to query the gpg
# key belonging to the
keyid
.
# first we need to get the
fingerprint
from the signature to query the gpg
# key belonging to the
fingerprint
.
# This way we can add the key to the temporary keychain and extract
# the proper signature.
# NOTE: the invoked method is #fingerprint but it's only returning
# 16 characters (the format used by keyid) instead of 40.
# NOTE: the invoked method is #fingerprint but versions of GnuPG
# prior to 2.2.13 return 16 characters (the format used by keyid)
# instead of 40.
fingerprint
=
verified_signature
&
.
fingerprint
break
unless
fingerprint
...
...
@@ -128,11 +129,13 @@ module Gitlab
gpg_key
&
.
verified_user_infos
&
.
first
||
gpg_key
&
.
user_infos
&
.
first
||
{}
end
# rubocop: disable CodeReuse/ActiveRecord
def
find_gpg_key
(
keyid
)
GpgKey
.
find_by
(
primary_keyid:
keyid
)
||
GpgKeySubkey
.
find_by
(
keyid:
keyid
)
def
find_gpg_key
(
fingerprint
)
if
fingerprint
.
length
>
16
GpgKey
.
find_by_fingerprint
(
fingerprint
)
||
GpgKeySubkey
.
find_by_fingerprint
(
fingerprint
)
else
GpgKey
.
find_by_primary_keyid
(
fingerprint
)
||
GpgKeySubkey
.
find_by_keyid
(
fingerprint
)
end
end
# rubocop: enable CodeReuse/ActiveRecord
end
end
end
spec/lib/gitlab/gpg/commit_spec.rb
View file @
bab76f76
...
...
@@ -109,6 +109,89 @@ describe Gitlab::Gpg::Commit do
end
end
context
'valid key signed using recent version of Gnupg'
do
let!
(
:commit
)
{
create
:commit
,
project:
project
,
sha:
commit_sha
,
committer_email:
GpgHelpers
::
User1
.
emails
.
first
}
let!
(
:user
)
{
create
(
:user
,
email:
GpgHelpers
::
User1
.
emails
.
first
)
}
let!
(
:gpg_key
)
do
create
:gpg_key
,
key:
GpgHelpers
::
User1
.
public_key
,
user:
user
end
let!
(
:crypto
)
{
instance_double
(
GPGME
::
Crypto
)
}
before
do
fake_signature
=
[
GpgHelpers
::
User1
.
signed_commit_signature
,
GpgHelpers
::
User1
.
signed_commit_base_data
]
allow
(
Gitlab
::
Git
::
Commit
).
to
receive
(
:extract_signature_lazily
)
.
with
(
Gitlab
::
Git
::
Repository
,
commit_sha
)
.
and_return
(
fake_signature
)
end
it
'returns a valid signature'
do
verified_signature
=
double
(
'verified-signature'
,
fingerprint:
GpgHelpers
::
User1
.
fingerprint
,
valid?:
true
)
allow
(
GPGME
::
Crypto
).
to
receive
(
:new
).
and_return
(
crypto
)
allow
(
crypto
).
to
receive
(
:verify
).
and_return
(
verified_signature
)
signature
=
described_class
.
new
(
commit
).
signature
expect
(
signature
).
to
have_attributes
(
commit_sha:
commit_sha
,
project:
project
,
gpg_key:
gpg_key
,
gpg_key_primary_keyid:
GpgHelpers
::
User1
.
primary_keyid
,
gpg_key_user_name:
GpgHelpers
::
User1
.
names
.
first
,
gpg_key_user_email:
GpgHelpers
::
User1
.
emails
.
first
,
verification_status:
'verified'
)
end
end
context
'valid key signed using older version of Gnupg'
do
let!
(
:commit
)
{
create
:commit
,
project:
project
,
sha:
commit_sha
,
committer_email:
GpgHelpers
::
User1
.
emails
.
first
}
let!
(
:user
)
{
create
(
:user
,
email:
GpgHelpers
::
User1
.
emails
.
first
)
}
let!
(
:gpg_key
)
do
create
:gpg_key
,
key:
GpgHelpers
::
User1
.
public_key
,
user:
user
end
let!
(
:crypto
)
{
instance_double
(
GPGME
::
Crypto
)
}
before
do
fake_signature
=
[
GpgHelpers
::
User1
.
signed_commit_signature
,
GpgHelpers
::
User1
.
signed_commit_base_data
]
allow
(
Gitlab
::
Git
::
Commit
).
to
receive
(
:extract_signature_lazily
)
.
with
(
Gitlab
::
Git
::
Repository
,
commit_sha
)
.
and_return
(
fake_signature
)
end
it
'returns a valid signature'
do
keyid
=
GpgHelpers
::
User1
.
fingerprint
.
last
(
16
)
verified_signature
=
double
(
'verified-signature'
,
fingerprint:
keyid
,
valid?:
true
)
allow
(
GPGME
::
Crypto
).
to
receive
(
:new
).
and_return
(
crypto
)
allow
(
crypto
).
to
receive
(
:verify
).
and_return
(
verified_signature
)
signature
=
described_class
.
new
(
commit
).
signature
expect
(
signature
).
to
have_attributes
(
commit_sha:
commit_sha
,
project:
project
,
gpg_key:
gpg_key
,
gpg_key_primary_keyid:
GpgHelpers
::
User1
.
primary_keyid
,
gpg_key_user_name:
GpgHelpers
::
User1
.
names
.
first
,
gpg_key_user_email:
GpgHelpers
::
User1
.
emails
.
first
,
verification_status:
'verified'
)
end
end
context
'commit signed with a subkey'
do
let!
(
:commit
)
{
create
:commit
,
project:
project
,
sha:
commit_sha
,
committer_email:
GpgHelpers
::
User3
.
emails
.
first
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment