verify gpg commit using tmp keyring and db query

2f956fae · Alexis Reigel · 3c42d730 · 2f956fae · 2f956fae · 2f956fae
Commit 2f956fae authored Jun 13, 2017 by Alexis Reigel
4 changed files
--- a/app/models/commit.rb
+++ b/app/models/commit.rb
@@ -240,7 +240,22 @@ class Commit
    @signature = nil

    signature, signed_text = @raw.signature(project.repository)
-    if signature && signed_text
+
+    return unless signature && signed_text
+
+    Gitlab::Gpg.using_tmp_keychain do
+      # first we need to get the keyid from the signature...
+      GPGME::Crypto.new.verify(signature, signed_text: signed_text) do |verified_signature|
+        @signature = verified_signature
+      end
+
+      # ... then we query the gpg key belonging to the keyid.
+      gpg_key = GpgKey.find_by(primary_keyid: @signature.fingerprint)
+
+      return @signature unless gpg_key
+
+      Gitlab::Gpg::CurrentKeyChain.add(gpg_key.key)
+
      GPGME::Crypto.new.verify(signature, signed_text: signed_text) do |verified_signature|
        @signature = verified_signature
      end

--- a/lib/gitlab/gpg.rb
+++ b/lib/gitlab/gpg.rb
@@ -2,6 +2,14 @@ module Gitlab
  module Gpg
    extend self

+    module CurrentKeyChain
+      extend self
+
+      def add(key)
+        GPGME::Key.import(key)
+      end
+    end
+
    def fingerprints_from_key(key)
      using_tmp_keychain do
        import = GPGME::Key.import(key)

--- a/spec/lib/gitlab/gpg_spec.rb
+++ b/spec/lib/gitlab/gpg_spec.rb
@@ -43,3 +43,20 @@ describe Gitlab::Gpg do
    end
  end
 end
+
+describe Gitlab::Gpg::CurrentKeyChain, :gpg do
+  describe '.add', :gpg do
+    it 'stores the key in the keychain' do
+      expect(GPGME::Key.find(:public, GpgHelpers::User1.fingerprint)).to eq []
+
+      described_class.add(GpgHelpers::User1.public_key)
+
+      keys = GPGME::Key.find(:public, GpgHelpers::User1.fingerprint)
+      expect(keys.count).to eq 1
+      expect(keys.first).to have_attributes(
+        email: GpgHelpers::User1.emails.first,
+        fingerprint: GpgHelpers::User1.fingerprint
+      )
+    end
+  end
+end
--- a/spec/models/commit_spec.rb
+++ b/spec/models/commit_spec.rb
@@ -422,7 +422,7 @@ eos

    context 'signed commit', :gpg do
      it 'returns a valid signature if the public key is known' do
-        GPGME::Key.import(GpgHelpers::User1.public_key)
+        create :gpg_key, key: GpgHelpers::User1.public_key

        raw_commit = double(:raw_commit, signature: [
          GpgHelpers::User1.signed_commit_signature,
@@ -438,7 +438,7 @@ eos
        expect(commit.signature.valid?).to be_truthy
      end

-      it 'returns an invalid signature if the public commit is unknown', :gpg do
+      it 'returns an invalid signature if the public key is unknown', :gpg do
        raw_commit = double(:raw_commit, signature: [
          GpgHelpers::User1.signed_commit_signature,
          GpgHelpers::User1.signed_commit_base_data