Skip to content

Please support upper case mail adresses for X.509 git commit signing

Summary

I signed a commit with simemsign(https://github.com/github/smimesign) successfully. Smimesign shows a good signature locally.

smimesign: Signature made using certificate ID 0x8d2555...
smimesign: Good signature from "CN=<John Doe>,O=<My Company>,L=<redacted>,C=DE,1.2.840.113549.1.9.1=#0c1f416e64726561732e46656c6465724064657574736368656261686e2e636f6d"
Author: John Doe <john.doe@mycompany.com>
Date:   Thu Sep 22 13:24:29 2022 +0200
    Test

My Certificate is signed for "John Doe" with mail address "John.Doe@mycompany.com" in Upper Case. GitLab shows a "Unverified" label withe message: This commit was signed with an unverified signature.

I assume this is, because my verified mail address is always in lower-case. Even if i try to add one in Upper Case, it's converted to lower-case.

Steps to reproduce

What is the current bug behavior?

Commits got "unverified" badge.

What is the expected correct behavior?

Commits should get the "verified" badge.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

GitLab Community Edition 15.3.3 (on premise)

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

The verified email addresses check should perform a case-insensitive comparision, see:

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/x509/signature.rb#L40

        if user.verified_emails.include?(@email) && certificate_email == @email
          :verified
        else
          :unverified
        end
Edited by Andreas