Add latest changes from gitlab-org/gitlab@16-2-stable-eev16.2.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-07-19 17:16:28 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-07-19 17:16:28 +0300
commit: e4384360a16dd9a19d4d2d25d0ef1f2b862ed2a6 (patch)
tree: 2fcdfa7dcdb9db8f5208b2562f4b4e803d671243 /lib/gitlab/ssh
parent: ffda4e7bcac36987f936b4ba515995a6698698f0 (diff)
2 files changed, 13 insertions, 2 deletions
diff --git a/lib/gitlab/ssh/commit.rb b/lib/gitlab/ssh/commit.rb
index d9ac8c1b881..7d7cc529b1a 100644
--- a/lib/gitlab/ssh/commit.rb
+++ b/lib/gitlab/ssh/commit.rb
@@ -10,7 +10,7 @@ module Gitlab
       end
 
       def attributes
-        signature = ::Gitlab::Ssh::Signature.new(signature_text, signed_text, @commit.committer_email)
+        signature = ::Gitlab::Ssh::Signature.new(signature_text, signed_text, signer, @commit.committer_email)
 
         {
           commit_sha: @commit.sha,
diff --git a/lib/gitlab/ssh/signature.rb b/lib/gitlab/ssh/signature.rb
index 763d89116f1..6b0cab75557 100644
--- a/lib/gitlab/ssh/signature.rb
+++ b/lib/gitlab/ssh/signature.rb
@@ -11,15 +11,17 @@ module Gitlab
 
       GIT_NAMESPACE = 'git'
 
-      def initialize(signature_text, signed_text, committer_email)
+      def initialize(signature_text, signed_text, signer, committer_email)
         @signature_text = signature_text
         @signed_text = signed_text
+        @signer = signer
         @committer_email = committer_email
       end
 
       def verification_status
         strong_memoize(:verification_status) do
           next :unverified unless all_attributes_present?
+          next :verified_system if verified_by_gitlab?
           next :unverified unless valid_signature_blob?
           next :unknown_key unless signed_by_key
           next :other_user unless committer
@@ -81,6 +83,15 @@ module Gitlab
           nil
         end
       end
+
+      # If a commit is signed by Gitaly, the Gitaly returns `SIGNER_SYSTEM` as a signer
+      # In order to calculate it, the signature is Verified using the Gitaly's public key:
+      # https://gitlab.com/gitlab-org/gitaly/-/blob/v16.2.0-rc2/internal/gitaly/service/commit/commit_signatures.go#L63
+      #
+      # It is safe to skip verification step if the commit has been signed by Gitaly
+      def verified_by_gitlab?
+        @signer == :SIGNER_SYSTEM
+      end
     end
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-07-19 17:16:28 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-07-19 17:16:28 +0300
commit	e4384360a16dd9a19d4d2d25d0ef1f2b862ed2a6 (patch)
tree	2fcdfa7dcdb9db8f5208b2562f4b4e803d671243 /lib/gitlab/ssh
parent	ffda4e7bcac36987f936b4ba515995a6698698f0 (diff)