Merge branch '36829-gpg-commit-not-verified-if-signed-with-a-subkey' into 'master'

Add support for GPG subkeys in signature verification

Closes #36829

See merge request gitlab-org/gitlab-ce!14517

app/assets/stylesheets/pages/profile.scss

@@ -108,6 +108,15 @@
   }
 }
 
+.subkeys-list {
+  @include basic-list;
+
+  li {
+    padding: 3px 0;
+    border: none;
+  }
+}
+
 .key-list-item {
   .key-list-item-info {
     @media (min-width: $screen-sm-min) {

app/controllers/profiles/gpg_keys_controller.rb

@@ -2,7 +2,7 @@ class Profiles::GpgKeysController < Profiles::ApplicationController
   before_action :set_gpg_key, only: [:destroy, :revoke]
 
   def index
-    @gpg_keys = current_user.gpg_keys
+    @gpg_keys = current_user.gpg_keys.with_subkeys
     @gpg_key = GpgKey.new
   end
 

app/models/gpg_key.rb

@@ -9,6 +9,9 @@ class GpgKey < ActiveRecord::Base
 
   belongs_to :user
   has_many :gpg_signatures
+  has_many :subkeys, class_name: 'GpgKeySubkey'
+
+  scope :with_subkeys, -> { includes(:subkeys) }
 
   validates :user, presence: true
 
@@ -36,10 +39,12 @@ class GpgKey < ActiveRecord::Base
 
   before_validation :extract_fingerprint, :extract_primary_keyid
   after_commit :update_invalid_gpg_signatures, on: :create
+  after_create :generate_subkeys
 
   def primary_keyid
     super&.upcase
   end
+  alias_method :keyid, :primary_keyid
 
   def fingerprint
     super&.upcase
@@ -49,6 +54,10 @@ class GpgKey < ActiveRecord::Base
     super(value&.strip)
   end
 
+  def keyids
+    [keyid].concat(subkeys.map(&:keyid))
+  end
+
   def user_infos
     @user_infos ||= Gitlab::Gpg.user_infos_from_key(key)
   end
@@ -82,10 +91,11 @@ class GpgKey < ActiveRecord::Base
 
   def revoke
     GpgSignature
-      .where(gpg_key: self)
+      .with_key_and_subkeys(self)
       .where.not(verification_status: GpgSignature.verification_statuses[:unknown_key])
       .update_all(
         gpg_key_id: nil,
+        gpg_key_subkey_id: nil,
         verification_status: GpgSignature.verification_statuses[:unknown_key],
         updated_at: Time.zone.now
       )
@@ -106,4 +116,12 @@ class GpgKey < ActiveRecord::Base
     # only allows one key
     self.primary_keyid = Gitlab::Gpg.primary_keyids_from_key(key).first
   end
+
+  def generate_subkeys
+    gpg_subkeys = Gitlab::Gpg.subkeys_from_key(key)
+
+    gpg_subkeys[primary_keyid]&.each do |subkey_data|
+      subkeys.create!(keyid: subkey_data[:keyid], fingerprint: subkey_data[:fingerprint])
+    end
+  end
 end

app/models/gpg_key_subkey.rb

+class GpgKeySubkey < ActiveRecord::Base
+  include ShaAttribute
+
+  sha_attribute :keyid
+  sha_attribute :fingerprint
+
+  belongs_to :gpg_key
+
+  validates :gpg_key_id, presence: true
+  validates :fingerprint, :keyid, presence: true, uniqueness: true
+
+  delegate :key, :user, :user_infos, :verified?, :verified_user_infos,
+    :verified_and_belongs_to_email?, to: :gpg_key
+
+  def keyid
+    super&.upcase
+  end
+
+  def fingerprint
+    super&.upcase
+  end
+end

app/models/gpg_signature.rb

@@ -15,11 +15,42 @@ class GpgSignature < ActiveRecord::Base
 
   belongs_to :project
   belongs_to :gpg_key
+  belongs_to :gpg_key_subkey
 
   validates :commit_sha, presence: true
   validates :project_id, presence: true
   validates :gpg_key_primary_keyid, presence: true
 
+  def self.with_key_and_subkeys(gpg_key)
+    subkey_ids = gpg_key.subkeys.pluck(:id)
+
+    where(
+      arel_table[:gpg_key_id].eq(gpg_key.id).or(
+        arel_table[:gpg_key_subkey_id].in(subkey_ids)
+      )
+    )
+  end
+
+  def gpg_key=(model)
+    case model
+    when GpgKey
+      super
+    when GpgKeySubkey
+      self.gpg_key_subkey = model
+    when NilClass
+      super
+      self.gpg_key_subkey = nil
+    end
+  end
+
+  def gpg_key
+    if gpg_key_id
+      super
+    elsif gpg_key_subkey_id
+      gpg_key_subkey
+    end
+  end
+
   def gpg_key_primary_keyid
     super&.upcase
   end

app/views/profiles/gpg_keys/_key.html.haml

@@ -7,6 +7,13 @@
 
     .description
       %code= key.fingerprint
+    - if key.subkeys.present?
+      .subkeys
+        %span.bold Subkeys:
+        %ul.subkeys-list
+          - key.subkeys.each do |subkey|
+            %li
+              %code= subkey.fingerprint
   .pull-right
     %span.key-created-at
       created #{time_ago_with_tooltip(key.created_at)}

changelogs/unreleased/36829-add-ability-to-verify-gpg-subkeys.yml

+---
+title: Add support for GPG subkeys in signature verification
+merge_request: 14517
+author:
+type: added

db/migrate/20170927161718_create_gpg_key_subkeys.rb

+class CreateGpgKeySubkeys < ActiveRecord::Migration
+  DOWNTIME = false
+
+  def up
+    create_table :gpg_key_subkeys do |t|
+      t.references :gpg_key, null: false, index: true, foreign_key: { on_delete: :cascade }
+
+      t.binary :keyid
+      t.binary :fingerprint
+
+      t.index :keyid, unique: true, length: Gitlab::Database.mysql? ? 20 : nil
+      t.index :fingerprint, unique: true, length: Gitlab::Database.mysql? ? 20 : nil
+    end
+
+    add_reference :gpg_signatures, :gpg_key_subkey, index: true, foreign_key: { on_delete: :nullify }
+  end
+
+  def down
+    remove_reference(:gpg_signatures, :gpg_key_subkey, index: true, foreign_key: true)
+
+    drop_table :gpg_key_subkeys
+  end
+end

db/post_migrate/20171005130944_schedule_create_gpg_key_subkeys_from_gpg_keys.rb

+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class ScheduleCreateGpgKeySubkeysFromGpgKeys < ActiveRecord::Migration
+  disable_ddl_transaction!
+
+  DOWNTIME = false
+  MIGRATION = 'CreateGpgKeySubkeysFromGpgKeys'
+
+  class GpgKey < ActiveRecord::Base
+    self.table_name = 'gpg_keys'
+
+    include EachBatch
+  end
+
+  def up
+    GpgKey.select(:id).each_batch do |gpg_keys|
+      jobs = gpg_keys.pluck(:id).map do |id|
+        [MIGRATION, [id]]
+      end
+
+      BackgroundMigrationWorker.perform_bulk(jobs)
+    end
+  end
+
+  def down
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20171004121444) do
+ActiveRecord::Schema.define(version: 20171005130944) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -580,6 +580,16 @@ ActiveRecord::Schema.define(version: 20171004121444) do
 
   add_index "forked_project_links", ["forked_to_project_id"], name: "index_forked_project_links_on_forked_to_project_id", unique: true, using: :btree
 
+  create_table "gpg_key_subkeys", force: :cascade do |t|
+    t.integer "gpg_key_id", null: false
+    t.binary "keyid"
+    t.binary "fingerprint"
+  end
+
+  add_index "gpg_key_subkeys", ["fingerprint"], name: "index_gpg_key_subkeys_on_fingerprint", unique: true, using: :btree
+  add_index "gpg_key_subkeys", ["gpg_key_id"], name: "index_gpg_key_subkeys_on_gpg_key_id", using: :btree
+  add_index "gpg_key_subkeys", ["keyid"], name: "index_gpg_key_subkeys_on_keyid", unique: true, using: :btree
+
   create_table "gpg_keys", force: :cascade do |t|
     t.datetime_with_timezone "created_at", null: false
     t.datetime_with_timezone "updated_at", null: false
@@ -603,11 +613,13 @@ ActiveRecord::Schema.define(version: 20171004121444) do
     t.text "gpg_key_user_name"
     t.text "gpg_key_user_email"
     t.integer "verification_status", limit: 2, default: 0, null: false
+    t.integer "gpg_key_subkey_id"
   end
 
   add_index "gpg_signatures", ["commit_sha"], name: "index_gpg_signatures_on_commit_sha", unique: true, using: :btree
   add_index "gpg_signatures", ["gpg_key_id"], name: "index_gpg_signatures_on_gpg_key_id", using: :btree
   add_index "gpg_signatures", ["gpg_key_primary_keyid"], name: "index_gpg_signatures_on_gpg_key_primary_keyid", using: :btree
+  add_index "gpg_signatures", ["gpg_key_subkey_id"], name: "index_gpg_signatures_on_gpg_key_subkey_id", using: :btree
   add_index "gpg_signatures", ["project_id"], name: "index_gpg_signatures_on_project_id", using: :btree
 
   create_table "identities", force: :cascade do |t|
@@ -1727,7 +1739,9 @@ ActiveRecord::Schema.define(version: 20171004121444) do
   add_foreign_key "events", "projects", on_delete: :cascade
   add_foreign_key "events", "users", column: "author_id", name: "fk_edfd187b6f", on_delete: :cascade
   add_foreign_key "forked_project_links", "projects", column: "forked_to_project_id", name: "fk_434510edb0", on_delete: :cascade
+  add_foreign_key "gpg_key_subkeys", "gpg_keys", on_delete: :cascade
   add_foreign_key "gpg_keys", "users", on_delete: :cascade
+  add_foreign_key "gpg_signatures", "gpg_key_subkeys", on_delete: :nullify
   add_foreign_key "gpg_signatures", "gpg_keys", on_delete: :nullify
   add_foreign_key "gpg_signatures", "projects", on_delete: :cascade
   add_foreign_key "issue_assignees", "issues", name: "fk_b7d881734a", on_delete: :cascade

lib/gitlab/background_migration/create_gpg_key_subkeys_from_gpg_keys.rb

+class Gitlab::BackgroundMigration::CreateGpgKeySubkeysFromGpgKeys
+  class GpgKey < ActiveRecord::Base
+    self.table_name = 'gpg_keys'
+
+    include EachBatch
+    include ShaAttribute
+
+    sha_attribute :primary_keyid
+    sha_attribute :fingerprint
+
+    has_many :subkeys, class_name: 'GpgKeySubkey'
+  end
+
+  class GpgKeySubkey < ActiveRecord::Base
+    self.table_name = 'gpg_key_subkeys'
+
+    include ShaAttribute
+
+    sha_attribute :keyid
+    sha_attribute :fingerprint
+  end
+
+  def perform(gpg_key_id)
+    gpg_key = GpgKey.find_by(id: gpg_key_id)
+
+    return if gpg_key.nil?
+    return if gpg_key.subkeys.any?
+
+    create_subkeys(gpg_key)
+    update_signatures(gpg_key)
+  end
+
+  private
+
+  def create_subkeys(gpg_key)
+    gpg_subkeys = Gitlab::Gpg.subkeys_from_key(gpg_key.key)
+
+    gpg_subkeys[gpg_key.primary_keyid.upcase]&.each do |subkey_data|
+      gpg_key.subkeys.build(keyid: subkey_data[:keyid], fingerprint: subkey_data[:fingerprint])
+    end
+
+    # Improve latency by doing all INSERTs in a single call
+    GpgKey.transaction do
+      gpg_key.save!
+    end
+  end
+
+  def update_signatures(gpg_key)
+    return unless gpg_key.subkeys.exists?
+
+    InvalidGpgSignatureUpdateWorker.perform_async(gpg_key.id)
+  end
+end

lib/gitlab/gpg.rb

@@ -34,6 +34,21 @@ module Gitlab
       end
     end
 
+    def subkeys_from_key(key)
+      using_tmp_keychain do
+        fingerprints = CurrentKeyChain.fingerprints_from_key(key)
+        raw_keys     = GPGME::Key.find(:public, fingerprints)
+
+        raw_keys.each_with_object({}) do |raw_key, grouped_subkeys|
+          primary_subkey_id = raw_key.primary_subkey.keyid
+
+          grouped_subkeys[primary_subkey_id] = raw_key.subkeys[1..-1].map do |s|
+            { keyid: s.keyid, fingerprint: s.fingerprint }
+          end
+        end
+      end
+    end
+
     def user_infos_from_key(key)
       using_tmp_keychain do
         fingerprints = CurrentKeyChain.fingerprints_from_key(key)

lib/gitlab/gpg/commit.rb

@@ -43,7 +43,9 @@ module Gitlab
           # key belonging to the keyid.
           # This way we can add the key to the temporary keychain and extract
           # the proper signature.
-          gpg_key = GpgKey.find_by(primary_keyid: verified_signature.fingerprint)
+          # NOTE: the invoked method is #fingerprint but it's only returning
+          # 16 characters (the format used by keyid) instead of 40.
+          gpg_key = find_gpg_key(verified_signature.fingerprint)
 
           if gpg_key
             Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)
@@ -74,7 +76,7 @@ module Gitlab
           commit_sha: @commit.sha,
           project: @commit.project,
           gpg_key: gpg_key,
-          gpg_key_primary_keyid: gpg_key&.primary_keyid || verified_signature.fingerprint,
+          gpg_key_primary_keyid: gpg_key&.keyid || verified_signature.fingerprint,
           gpg_key_user_name: user_infos[:name],
           gpg_key_user_email: user_infos[:email],
           verification_status: verification_status
@@ -98,6 +100,10 @@ module Gitlab
       def user_infos(gpg_key)
         gpg_key&.verified_user_infos&.first || gpg_key&.user_infos&.first || {}
       end
+
+      def find_gpg_key(keyid)
+        GpgKey.find_by(primary_keyid: keyid) || GpgKeySubkey.find_by(keyid: keyid)
+      end
     end
   end
 end

lib/gitlab/gpg/invalid_gpg_signature_updater.rb

@@ -9,7 +9,7 @@ module Gitlab
         GpgSignature
           .select(:id, :commit_sha, :project_id)
           .where('gpg_key_id IS NULL OR verification_status <> ?', GpgSignature.verification_statuses[:verified])
-          .where(gpg_key_primary_keyid: @gpg_key.primary_keyid)
+          .where(gpg_key_primary_keyid: @gpg_key.keyids)
           .find_each { |sig| sig.gpg_commit.update_signature!(sig) }
       end
     end

spec/factories/gpg_key_subkeys.rb

+require_relative '../support/gpg_helpers'
+
+FactoryGirl.define do
+  factory :gpg_key_subkey do
+    gpg_key
+
+    sequence(:keyid) { |n| "keyid-#{n}" }
+    sequence(:fingerprint) { |n| "fingerprint-#{n}" }
+  end
+end

spec/factories/gpg_keys.rb

@@ -4,5 +4,9 @@ FactoryGirl.define do
   factory :gpg_key do
     key GpgHelpers::User1.public_key
     user
+
+    factory :gpg_key_with_subkeys do
+      key GpgHelpers::User1.public_key_with_extra_signing_key
+    end
   end
 end

spec/factories/gpg_signature.rb

@@ -5,7 +5,7 @@ FactoryGirl.define do
     commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
     project
     gpg_key
-    gpg_key_primary_keyid { gpg_key.primary_keyid }
+    gpg_key_primary_keyid { gpg_key.keyid }
     verification_status :verified
   end
 end

spec/features/profiles/gpg_keys_spec.rb

@@ -20,6 +20,18 @@ feature 'Profile > GPG Keys' do
       expect(page).to have_content('bette.cartwright@example.net Unverified')
       expect(page).to have_content(GpgHelpers::User2.fingerprint)
     end
+
+    scenario 'with multiple subkeys' do
+      fill_in('Key', with: GpgHelpers::User3.public_key)
+      click_button('Add key')
+
+      expect(page).to have_content('john.doe@example.com Unverified')
+      expect(page).to have_content(GpgHelpers::User3.fingerprint)
+
+      GpgHelpers::User3.subkey_fingerprints.each do |fingerprint|
+        expect(page).to have_content(fingerprint)
+      end
+    end
   end
 
   scenario 'User sees their key' do

spec/lib/gitlab/background_migration/create_gpg_key_subkeys_from_gpg_keys_spec.rb

+require 'spec_helper'
+
+describe Gitlab::BackgroundMigration::CreateGpgKeySubkeysFromGpgKeys, :migration, schema: 20171005130944 do
+  context 'when GpgKey exists' do
+    let!(:gpg_key) { create(:gpg_key, key: GpgHelpers::User3.public_key) }
+
+    before do
+      GpgKeySubkey.destroy_all
+    end
+
+    it 'generate the subkeys' do
+      expect do
+        described_class.new.perform(gpg_key.id)
+      end.to change { gpg_key.subkeys.count }.from(0).to(2)
+    end
+
+    it 'schedules the signature update worker' do
+      expect(InvalidGpgSignatureUpdateWorker).to receive(:perform_async).with(gpg_key.id)
+
+      described_class.new.perform(gpg_key.id)
+    end
+  end
+
+  context 'when GpgKey does not exist' do
+    it 'does not do anything' do
+      expect(Gitlab::Gpg).not_to receive(:subkeys_from_key)
+      expect(InvalidGpgSignatureUpdateWorker).not_to receive(:perform_async)
+
+      described_class.new.perform(123)
+    end
+  end
+end

spec/lib/gitlab/gpg/commit_spec.rb

@@ -63,6 +63,45 @@ describe Gitlab::Gpg::Commit do
           it_behaves_like 'returns the cached signature on second call'
         end
 
+        context 'commit signed with a subkey' do
+          let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User3.emails.first }
+
+          let!(:user) { create(:user, email: GpgHelpers::User3.emails.first) }
+
+          let!(:gpg_key) do
+            create :gpg_key, key: GpgHelpers::User3.public_key, user: user
+          end
+
+          let(:gpg_key_subkey) do
+            gpg_key.subkeys.find_by(fingerprint: '0522DD29B98F167CD8421752E38FFCAF75ABD92A')
+          end
+
+          before do
+            allow(Rugged::Commit).to receive(:extract_signature)
+            .with(Rugged::Repository, commit_sha)
+            .and_return(
+              [
+                GpgHelpers::User3.signed_commit_signature,
+                GpgHelpers::User3.signed_commit_base_data
+              ]
+            )
+          end
+
+          it 'returns a valid signature' do
+            expect(described_class.new(commit).signature).to have_attributes(
+              commit_sha: commit_sha,
+              project: project,
+              gpg_key: gpg_key_subkey,
+              gpg_key_primary_keyid: gpg_key_subkey.keyid,
+              gpg_key_user_name: GpgHelpers::User3.names.first,
+              gpg_key_user_email: GpgHelpers::User3.emails.first,
+              verification_status: 'verified'
+            )
+          end
+
+          it_behaves_like 'returns the cached signature on second call'
+        end
+
         context 'user email does not match the committer email, but is the same user' do
           let!(:commit) { create :commit, project: project, sha: commit_sha, committer_email: GpgHelpers::User2.emails.first }
 

spec/lib/gitlab/gpg/invalid_gpg_signature_updater_spec.rb

@@ -2,17 +2,16 @@ require 'rails_helper'
 
 RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
   describe '#run' do
+    let(:signature)       { [GpgHelpers::User1.signed_commit_signature, GpgHelpers::User1.signed_commit_base_data] }
+    let(:committer_email) { GpgHelpers::User1.emails.first }
     let!(:commit_sha)     { '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33' }
     let!(:project)        { create :project, :repository, path: 'sample-project' }
     let!(:raw_commit) do
       raw_commit = double(
         :raw_commit,
-        signature: [
-          GpgHelpers::User1.signed_commit_signature,
-          GpgHelpers::User1.signed_commit_base_data
-        ],
+        signature: signature,
         sha: commit_sha,
-        committer_email: GpgHelpers::User1.emails.first
+        committer_email: committer_email
       )
 
       allow(raw_commit).to receive :save!
@@ -29,12 +28,7 @@ RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
 
       allow(Rugged::Commit).to receive(:extract_signature)
         .with(Rugged::Repository, commit_sha)
-        .and_return(
-          [
-            GpgHelpers::User1.signed_commit_signature,
-            GpgHelpers::User1.signed_commit_base_data
-          ]
-        )
+        .and_return(signature)
     end
 
     context 'gpg signature did have an associated gpg key which was removed later' do
@@ -183,5 +177,34 @@ RSpec.describe Gitlab::Gpg::InvalidGpgSignatureUpdater do
         )
       end
     end
+
+    context 'gpg signature did not have an associated gpg subkey' do
+      let(:signature)       { [GpgHelpers::User3.signed_commit_signature, GpgHelpers::User3.signed_commit_base_data] }
+      let(:committer_email) { GpgHelpers::User3.emails.first }
+      let!(:user)           { create :user, email: GpgHelpers::User3.emails.first }
+
+      let!(:invalid_gpg_signature) do
+        create :gpg_signature,
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key: nil,
+          gpg_key_primary_keyid: GpgHelpers::User3.subkey_fingerprints.last[24..-1],
+          verification_status: 'unknown_key'
+      end
+
+      it 'updates the signature to being valid when the missing gpg key is added' do
+        # InvalidGpgSignatureUpdater is called by the after_create hook
+        gpg_key = create(:gpg_key, key: GpgHelpers::User3.public_key, user: user)
+        subkey = gpg_key.subkeys.last
+
+        expect(invalid_gpg_signature.reload).to have_attributes(
+          project: project,
+          commit_sha: commit_sha,
+          gpg_key_subkey_id: subkey.id,
+          gpg_key_primary_keyid: subkey.keyid,
+          verification_status: 'verified'
+        )
+      end
+    end
   end
 end

spec/lib/gitlab/gpg_spec.rb

@@ -28,6 +28,23 @@ describe Gitlab::Gpg do
     end
   end
 
+  describe '.subkeys_from_key' do
+    it 'returns the subkeys by primary key' do
+      all_subkeys = described_class.subkeys_from_key(GpgHelpers::User1.public_key)
+      subkeys = all_subkeys[GpgHelpers::User1.primary_keyid]
+
+      expect(subkeys).to be_present
+      expect(subkeys.first[:keyid]).to be_present
+      expect(subkeys.first[:fingerprint]).to be_present
+    end
+
+    it 'returns an empty array when there are not subkeys' do
+      all_subkeys = described_class.subkeys_from_key(GpgHelpers::User4.public_key)
+
+      expect(all_subkeys[GpgHelpers::User4.primary_keyid]).to be_empty
+    end
+  end
+
   describe '.user_infos_from_key' do
     it 'returns the names and emails' do
       user_infos = described_class.user_infos_from_key(GpgHelpers::User1.public_key)

spec/migrations/schedule_create_gpg_key_subkeys_from_gpg_keys_spec.rb

+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20171005130944_schedule_create_gpg_key_subkeys_from_gpg_keys')
+
+describe ScheduleCreateGpgKeySubkeysFromGpgKeys, :migration, :sidekiq do
+  matcher :be_scheduled_migration do |*expected|
+    match do |migration|
+      BackgroundMigrationWorker.jobs.any? do |job|
+        job['args'] == [migration, expected]
+      end
+    end
+
+    failure_message do |migration|
+      "Migration `#{migration}` with args `#{expected.inspect}` not scheduled!"
+    end
+  end
+
+  before do
+    create(:gpg_key, id: 1, key: GpgHelpers::User1.public_key)
+    create(:gpg_key, id: 2, key: GpgHelpers::User3.public_key)
+    # Delete all subkeys so they can be recreated
+    GpgKeySubkey.destroy_all
+  end
+
+  it 'correctly schedules background migrations' do
+    Sidekiq::Testing.fake! do
+      migrate!
+
+      expect(described_class::MIGRATION).to be_scheduled_migration(1)
+      expect(described_class::MIGRATION).to be_scheduled_migration(2)
+      expect(BackgroundMigrationWorker.jobs.size).to eq(2)
+    end
+  end
+
+  it 'schedules background migrations' do
+    Sidekiq::Testing.inline! do
+      expect(GpgKeySubkey.count).to eq(0)
+
+      migrate!
+
+      expect(GpgKeySubkey.count).to eq(3)
+    end
+  end
+end

spec/models/gpg_key_spec.rb

@@ -3,6 +3,7 @@ require 'rails_helper'
 describe GpgKey do
   describe "associations" do
     it { is_expected.to belong_to(:user) }
+    it { is_expected.to have_many(:subkeys) }
   end
 
   describe "validation" do
@@ -38,6 +39,14 @@ describe GpgKey do
         expect(gpg_key.primary_keyid).to eq GpgHelpers::User1.primary_keyid
       end
     end
+
+    describe 'generate_subkeys' do
+      it 'extracts the subkeys from the gpg key' do
+        gpg_key = create(:gpg_key, key: GpgHelpers::User1.public_key_with_extra_signing_key)
+
+        expect(gpg_key.subkeys.count).to eq(2)
+      end
+    end
   end
 
   describe '#key=' do
@@ -182,5 +191,29 @@ describe GpgKey do
 
       expect(unrelated_gpg_key.destroyed?).to be false
     end
+
+    it 'deletes all the associated subkeys' do
+      gpg_key = create :gpg_key, key: GpgHelpers::User3.public_key
+
+      expect(gpg_key.subkeys).to be_present
+
+      gpg_key.revoke
+
+      expect(gpg_key.subkeys(true)).to be_blank
+    end
+
+    it 'invalidates all signatures associated to the subkeys' do
+      gpg_key = create :gpg_key, key: GpgHelpers::User3.public_key
+      gpg_key_subkey = gpg_key.subkeys.last
+      gpg_signature = create :gpg_signature, verification_status: :verified, gpg_key: gpg_key_subkey
+
+      gpg_key.revoke
+
+      expect(gpg_signature.reload).to have_attributes(
+        verification_status: 'unknown_key',
+        gpg_key: nil,
+        gpg_key_subkey: nil
+      )
+    end
   end
 end

spec/models/gpg_key_subkey_spec.rb

+require 'rails_helper'
+
+describe GpgKeySubkey do
+  subject { build(:gpg_key_subkey) }
+
+  describe 'associations' do
+    it { is_expected.to belong_to(:gpg_key) }
+  end
+
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:gpg_key_id) }
+    it { is_expected.to validate_presence_of(:fingerprint) }
+    it { is_expected.to validate_presence_of(:keyid) }
+  end
+end

spec/models/gpg_signature_spec.rb

 require 'rails_helper'
 
 RSpec.describe GpgSignature do
+  let(:gpg_key) { create(:gpg_key) }
+  let(:gpg_key_subkey) { create(:gpg_key_subkey) }
+
   describe 'associations' do
     it { is_expected.to belong_to(:project) }
     it { is_expected.to belong_to(:gpg_key) }
+    it { is_expected.to belong_to(:gpg_key_subkey) }
   end
 
   describe 'validation' do
@@ -25,4 +29,26 @@ RSpec.describe GpgSignature do
       gpg_signature.commit
     end
   end
+
+  describe '#gpg_key=' do
+    it 'supports the assignment of a GpgKey' do
+      gpg_signature = create(:gpg_signature, gpg_key: gpg_key)
+
+      expect(gpg_signature.gpg_key).to be_an_instance_of(GpgKey)
+    end
+
+    it 'supports the assignment of a GpgKeySubkey' do
+      gpg_signature = create(:gpg_signature, gpg_key: gpg_key_subkey)
+
+      expect(gpg_signature.gpg_key).to be_an_instance_of(GpgKeySubkey)
+    end
+
+    it 'clears gpg_key and gpg_key_subkey_id when passing nil' do
+      gpg_signature = create(:gpg_signature, gpg_key: gpg_key_subkey)
+      gpg_signature.update_attribute(:gpg_key, nil)
+
+      expect(gpg_signature.gpg_key_id).to be_nil
+      expect(gpg_signature.gpg_key_subkey_id).to be_nil
+    end
+  end
 end

spec/services/gpg_keys/create_service_spec.rb

@@ -18,4 +18,14 @@ describe GpgKeys::CreateService do
   it 'creates a gpg key' do
     expect { subject.execute }.to change { user.gpg_keys.where(params).count }.by(1)
   end
+
+  context 'when the public key contains subkeys' do
+    let(:params) { attributes_for(:gpg_key_with_subkeys) }
+
+    it 'generates the gpg subkeys' do
+      gpg_key = subject.execute
+
+      expect(gpg_key.subkeys.count).to eq(2)
+    end
+  end
 end