tags: Always enable fix for verification of long tag messages

In contrast to signatures for commits, the signature of a tag is directly attached to the tag message. So to get the tag signature, GitLab loads the tag mesasge from Gitaly and extracts the signature from it. However, if the tag message exceeds a certain length, Gitaly will truncate it and thus keep us from verifying the signature. This was fixed via a new `GetTagSignatures()` RPC in Gitaly, whose use is currently guarded by the `:get_tag_signatures` feature flag. This new implementation was rolled out to production on September 7th without any observed issues and can thus be considered stable. Remove the feature flag to always use the fix. Changelog: fixed

tags: Always enable fix for verification of long tag messages
In contrast to signatures for commits, the signature of a tag is directly attached to the tag message. So to get the tag signature, GitLab loads the tag mesasge from Gitaly and extracts the signature from it. However, if the tag message exceeds a certain length, Gitaly will truncate it and thus keep us from verifying the signature. This was fixed via a new `GetTagSignatures()` RPC in Gitaly, whose use is currently guarded by the `:get_tag_signatures` feature flag. This new implementation was rolled out to production on September 7th without any observed issues and can thus be considered stable. Remove the feature flag to always use the fix. Changelog: fixed
cc955642 · Patrick Steinhardt · 243177f3 · 243177f3 · cc955642 · cc955642
Commit cc955642 authored Sep 10, 2021 by Patrick Steinhardt
4 changed files
--- a/config/feature_flags/development/get_tag_signatures.yml
+++ b/config/feature_flags/development/get_tag_signatures.yml
---
-name: get_tag_signatures
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/67000
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/337842
-milestone: '14.2'
-type: development
-group: group::gitaly
-default_enabled: false
--- a/lib/gitlab/signed_tag.rb
+++ b/lib/gitlab/signed_tag.rb
@@ -7,12 +7,7 @@ module Gitlab
    def initialize(repository, tag)
      @repository = repository
      @tag = tag
+      @signature_data = Gitlab::Git::Tag.extract_signature_lazily(repository, tag.id) if repository
-      if Feature.enabled?(:get_tag_signatures)
-        @signature_data = Gitlab::Git::Tag.extract_signature_lazily(repository, tag.id) if repository
-      else
-        @signature_data = [signature_text_of_message.b, signed_text_of_message.b]
-      end
    end
    def signature
@@ -26,22 +21,5 @@ module Gitlab
    def signed_text
      @signature_data&.fetch(1)
    end
-    private
-    def signature_text_of_message
-      @tag.message.slice(@tag.message.index("-----BEGIN SIGNED MESSAGE-----")..-1)
-    rescue StandardError
-      nil
-    end
-    def signed_text_of_message
-      %{object #{@tag.target_commit.id}
-type commit
-tag #{@tag.name}
-tagger #{@tag.tagger.name} <#{@tag.tagger.email}> #{@tag.tagger.date.seconds} #{@tag.tagger.timezone}
-#{@tag.message.gsub(/-----BEGIN SIGNED MESSAGE-----(.*)-----END SIGNED MESSAGE-----/m, "")}}
-    end
  end
 end
--- a/spec/lib/gitlab/git/tag_spec.rb
+++ b/spec/lib/gitlab/git/tag_spec.rb
@@ -38,7 +38,7 @@ RSpec.describe Gitlab::Git::Tag, :seed_helper do
      it { expect(tag.tagger.timezone).to eq("+0200") }
    end
-    shared_examples 'signed tag' do
+    describe 'signed tag' do
      let(:project) { create(:project, :repository) }
      let(:tag) { project.repository.find_tag('v1.1.1') }
@@ -54,18 +54,6 @@ RSpec.describe Gitlab::Git::Tag, :seed_helper do
      it { expect(tag.tagger.timezone).to eq("+0100") }
    end
-    context 'with :get_tag_signatures enabled' do
-      it_behaves_like 'signed tag'
-    end
-    context 'with :get_tag_signatures disabled' do
-      before do
-        stub_feature_flags(get_tag_signatures: false)
-      end
-      it_behaves_like 'signed tag'
-    end
    it { expect(repository.tags.size).to eq(SeedRepo::Repo::TAGS.size) }
  end

--- a/spec/lib/gitlab/x509/tag_spec.rb
+++ b/spec/lib/gitlab/x509/tag_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe Gitlab::X509::Tag do
    let(:repository) { Gitlab::Git::Repository.new('default', TEST_REPO_PATH, '', 'group/project') }
    let(:project) { create(:project, :repository) }
-    shared_examples 'signed tag' do
+    describe 'signed tag' do
      let(:tag) { project.repository.find_tag('v1.1.1') }
      let(:certificate_attributes) do
        {
@@ -33,24 +33,10 @@ RSpec.describe Gitlab::X509::Tag do
      it { expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes) }
    end
-    shared_examples 'unsigned tag' do
+    describe 'unsigned tag' do
      let(:tag) { project.repository.find_tag('v1.0.0') }
      it { expect(signature).to be_nil }
    end
-    context 'with :get_tag_signatures enabled' do
-      it_behaves_like 'signed tag'
-      it_behaves_like 'unsigned tag'
-    end
-    context 'with :get_tag_signatures disabled' do
-      before do
-        stub_feature_flags(get_tag_signatures: false)
-      end
-      it_behaves_like 'signed tag'
-      it_behaves_like 'unsigned tag'
-    end
  end
 end