Reject multiple PGP signatures for commits
What does this MR do and why?
Contributes to #25616
Problem
It is possible to attach multiple PGP signatures to the commit. But git does not support that (see: https://github.com/git/git/commit/da6cf1b3360eefdce3dbde7632eca57177327f37).
Solution
Reject multiple PGP signatures for commits (even if they are valid ones)
to match git verify-commit
behavior.
Show a pop-up message to describe why we mark the commit as unverified.
Screenshots or screen recordings
How to set up and validate locally
First of all, you need to enable FF multiple_gpg_signatures
Feature.enable(:multiple_gpg_signatures)
I followed this guide to setup the case: https://mgorny.pl/articles/attack-on-git-signature-verification.html (section "Detailed outline of the test case"). My results described here
Another option (easier) is to update status of the existing signature
signature = GpgSignature.last
signature.update(verification_status: "multiple_signatures")
# generate a link to the commit page
commit_sha = signature.commit_sha
project_path = signature.project.full_path
puts "http://localhost:3000/#{project_path}/-/commit/#{commit_sha}"
Then open the link in your browser and click on "Unverified" button next to commit.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.