Limitations of x509 signing

96a0498b · Ben Prescott @bprescott_↙ ☺ · Amy Qualls · ae3ce141 · 96a0498b
Commit 96a0498b authored Aug 17, 2021 by Ben Prescott @bprescott_↙ ☺ Committed by Amy Qualls Aug 17, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

doc/user/project/repository/x509_signed_commits/index.md doc/user/project/repository/x509_signed_commits/index.md +16 -0

No files found.
--- a/doc/user/project/repository/x509_signed_commits/index.md
+++ b/doc/user/project/repository/x509_signed_commits/index.md
@@ -7,6 +7,8 @@ type: concepts, howto
 # Signing commits and tags with X.509 **(FREE)**
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/17773) in GitLab 12.8.
 [X.509](https://en.wikipedia.org/wiki/X.509) is a standard format for public key
 certificates issued by a public or private Public Key Infrastructure (PKI).
 Personal X.509 certificates are used for authentication or signing purposes
@@ -37,6 +39,20 @@ Self signed certificates without `authorityKeyIdentifier`,
 recommend using certificates from a PKI that are in line with
 [RFC 5280](https://tools.ietf.org/html/rfc5280).
+## Limitations
+- If you have more than one email in the Subject Alternative Name list in
+  your signing certificate,
+  [only the first one is used to verify commits](https://gitlab.com/gitlab-org/gitlab/-/issues/336677).
+- The `X509v3 Subject Key Identifier` (SKI) in the issuer certificate and the
+  signing certificate
+  [must be 40 characters long](https://gitlab.com/gitlab-org/gitlab/-/issues/332503).
+  If your SKI is shorter, commits will not show as verified in GitLab, and
+  short subject key identifiers may also
+  [cause errors when accessing the project](https://gitlab.com/gitlab-org/gitlab/-/issues/332464),
+  such as 'An error occurred while loading commit signatures' and
+  `HTTP 422 Unprocessable Entity` errors.
 ## Obtaining an X.509 key pair
 If your organization has Public Key Infrastructure (PKI), that PKI provides