Skip to content

Reject multiple PGP signatures for commits

Vasilii Iakliushin requested to merge 25616_reject_multiple_signatures into master

What does this MR do and why?

Contributes to #25616

Problem

It is possible to attach multiple PGP signatures to the commit. But git does not support that (see: https://github.com/git/git/commit/da6cf1b3360eefdce3dbde7632eca57177327f37).

Solution

Reject multiple PGP signatures for commits (even if they are valid ones) to match git verify-commit behavior.

Show a pop-up message to describe why we mark the commit as unverified.

Screenshots or screen recordings

Screenshot_2021-11-09_at_16.29.49

How to set up and validate locally

First of all, you need to enable FF multiple_gpg_signatures

Feature.enable(:multiple_gpg_signatures)

I followed this guide to setup the case: https://mgorny.pl/articles/attack-on-git-signature-verification.html (section "Detailed outline of the test case"). My results described here

Another option (easier) is to update status of the existing signature

signature = GpgSignature.last

signature.update(verification_status: "multiple_signatures")

# generate a link to the commit page
commit_sha = signature.commit_sha
project_path = signature.project.full_path

puts "http://localhost:3000/#{project_path}/-/commit/#{commit_sha}"

Then open the link in your browser and click on "Unverified" button next to commit.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Vasilii Iakliushin

Merge request reports

Loading