BigW Consortium Gitlab

Skip to content

G
gitlab-ce
Commit c6371ae9 by Lin Jen-Shin
Options

Merge remote-tracking branch 'upstream/master' into 36807-gc-unwanted-refs-after-import

* upstream/master: Don't use public_send in destroy_conditionally! helper Fix MySQL failure for emoji autocomplete max-width for lazy-loaded images (this was removed in the original MR through merge resolution most probably) Replace 'project/user_lookup.feature' spinach test with an rspec analog Move GPG signed commits docs to new location
parents c5553ce7 f7c8434c
Showing with 310 additions and 319 deletions
app/assets/stylesheets/framework/typography.scss
......@@ -25,6 +25,7 @@
min-width: inherit;
min-height: inherit;
background-color: inherit;
max-width: 100%;
}
p a:not(.no-attachment-icon) img {
......
app/controllers/autocomplete_controller.rb
......@@ -55,7 +55,7 @@ class AutocompleteController < ApplicationController
.limit(AWARD_EMOJI_MAX)
.where(user: current_user)
.group(:name)
.order(count: :desc, name: :asc)
.order('count_all DESC, name ASC')
.count
# Transform from hash to array to guarantee json order
......
app/views/profiles/gpg_keys/index.html.haml
......@@ -12,7 +12,7 @@
Add a GPG key
%p.profile-settings-content
Before you can add a GPG key you need to
= link_to 'generate it.', help_page_path('user/project/gpg_signed_commits/index.md')
= link_to 'generate it.', help_page_path('user/project/repository/gpg_signed_commits/index.md')
= render 'form'
%hr
%h5
......
app/views/projects/commit/_signature_badge.html.haml
......@@ -12,7 +12,7 @@
%span.monospace= signature.gpg_key_primary_keyid
= link_to('Learn more about signing commits', help_page_path('user/project/gpg_signed_commits/index.md'), class: 'gpg-popover-help-link')
= link_to('Learn more about signing commits', help_page_path('user/project/repository/gpg_signed_commits/index.md'), class: 'gpg-popover-help-link')
%button{ class: css_classes, data: { toggle: 'popover', html: 'true', placement: 'auto top', title: title, content: content } }
= label
changelogs/unreleased/replace_spinach_user_lookup-feature.yml 0 → 100644
---
title: Replace 'project/user_lookup.feature' spinach test with an rspec analog
merge_request: 13863
author: Vitaliy @blackst0ne Klachkov
type: other
doc/README.md
......@@ -77,6 +77,8 @@ Manage your [repositories](user/project/repository/index.md) from the UI (user i
- [Create a branch](user/project/repository/web_editor.md#create-a-new-branch)
- [Protected branches](user/project/protected_branches.md#protected-branches)
- [Delete merged branches](user/project/repository/branches/index.md#delete-merged-branches)
- Commits
- [Signing commits](user/project/repository/gpg_signed_commits/index.md): use GPG to sign your commits.
### Issues and Merge Requests (MRs)
......@@ -98,7 +100,6 @@ Manage your [repositories](user/project/repository/index.md) from the UI (user i
- [Git](topics/git/index.md): Getting started with Git, branching strategies, Git LFS, advanced use.
- [Git cheatsheet](https://gitlab.com/gitlab-com/marketing/raw/master/design/print/git-cheatsheet/print-pdf/git-cheatsheet.pdf): Download a PDF describing the most used Git operations.
- [GitLab Flow](workflow/gitlab_flow.md): explore the best of Git with the GitLab Flow strategy.
- [Signing commits](user/project/gpg_signed_commits/index.md): use GPG to sign your commits.
### Migrate and import your projects from other platforms
......
doc/user/project/gpg_signed_commits/index.md
# Signing commits with GPG
> [Introduced][ce-9546] in GitLab 9.5.
GitLab can show whether a commit is verified or not when signed with a GPG key.
All you need to do is upload the public GPG key in your profile settings.
GPG verified tags are not supported yet.
## Getting started with GPG
Here are a few guides to get you started with GPG:
- [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
- [Managing OpenPGP Keys](https://riseup.net/en/security/message-security/openpgp/gpg-keys)
- [OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices)
- [Creating a new GPG key with subkeys](https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/) (advanced)
## How GitLab handles GPG
GitLab uses its own keyring to verify the GPG signature. It does not access any
public key server.
In order to have a commit verified on GitLab the corresponding public key needs
to be uploaded to GitLab. For a signature to be verified two prerequisites need
to be met:
1. The public key needs to be added your GitLab account
1. One of the emails in the GPG key matches your **primary** email
## Generating a GPG key
If you don't already have a GPG key, the following steps will help you get
started:
1. [Install GPG](https://www.gnupg.org/download/index.html) for your operating system
1. Generate the private/public key pair with the following command:
```sh
gpg --full-gen-key
```
This will spawn a series of questions.
1. The first question is which algorithm can be used. Select the kind you want
or press <kbd>Enter</kbd> to choose the default (RSA and RSA):
```
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
```
1. The next question is key length. We recommend to choose the highest value
which is `4096`:
```
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
```
1. Next, you need to specify the validity period of your key. This is something
subjective, and you can use the default value which is to never expire:
```
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
```
1. Confirm that the answers you gave were correct by typing `y`:
```
Is this correct? (y/N) y
```
1. Enter you real name, the email address to be associated with this key (should
match the primary email address you use in GitLab) and an optional comment
(press <kbd>Enter</kbd> to skip):
```
GnuPG needs to construct a user ID to identify your key.
Real name: Mr. Robot
Email address: mr@robot.sh
Comment:
You selected this USER-ID:
"Mr. Robot <mr@robot.sh>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
```
1. Pick a strong password when asked and type it twice to confirm.
1. Use the following command to list the private GPG key you just created:
```
gpg --list-secret-keys mr@robot.sh
```
Replace `mr@robot.sh` with the email address you entered above.
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
`0x30F2B65B9246B6CA`:
```
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid [ultimate] Mr. Robot <mr@robot.sh>
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
```
1. Export the public key of that ID (replace your key ID from the previous step):
```
gpg --armor --export 0x30F2B65B9246B6CA
```
1. Finally, copy the public key and [add it in your profile settings](#adding-a-gpg-key-to-your-account)
## Adding a GPG key to your account
>**Note:**
Once you add a key, you cannot edit it, only remove it. In case the paste
didn't work, you'll have to remove the offending key and re-add it.
You can add a GPG key in your profile's settings:
1. On the upper right corner, click on your avatar and go to your **Settings**.
![Settings dropdown](../../profile/img/profile_settings_dropdown.png)
1. Navigate to the **GPG keys** tab and paste your _public_ key in the 'Key'
box.
![Paste GPG public key](img/profile_settings_gpg_keys_paste_pub.png)
1. Finally, click on **Add key** to add it to GitLab. You will be able to see
its fingerprint, the corresponding email address and creation date.
![GPG key single page](img/profile_settings_gpg_keys_single_key.png)
## Associating your GPG key with Git
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
your account](#adding-a-gpg-key-to-your-account), it's time to tell Git which
key to use.
1. Use the following command to list the private GPG key you just created:
```
gpg --list-secret-keys mr@robot.sh
```
Replace `mr@robot.sh` with the email address you entered above.
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
`0x30F2B65B9246B6CA`:
```
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid [ultimate] Mr. Robot <mr@robot.sh>
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
```
1. Tell Git to use that key to sign the commits:
```
git config --global user.signingkey 0x30F2B65B9246B6CA
```
Replace `0x30F2B65B9246B6CA` with your GPG key ID.
## Signing commits
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
your account](#adding-a-gpg-key-to-your-account), you can start signing your
commits:
1. Commit like you used to, the only difference is the addition of the `-S` flag:
```
git commit -S -m "My commit msg"
```
1. Enter the passphrase of your GPG key when asked.
1. Push to GitLab and check that your commits [are verified](#verifying-commits).
If you don't want to type the `-S` flag every time you commit, you can tell Git
to sign your commits automatically:
```
git config --global commit.gpgsign true
```
## Verifying commits
1. Within a project or [merge request](../merge_requests/index.md), navigate to
the **Commits** tab. Signed commits will show a badge containing either
"Verified" or "Unverified", depending on the verification status of the GPG
signature.
![Signed and unsigned commits](img/project_signed_and_unsigned_commits.png)
1. By clicking on the GPG badge, details of the signature are displayed.
![Signed commit with verified signature](img/project_signed_commit_verified_signature.png)
![Signed commit with verified signature](img/project_signed_commit_unverified_signature.png)
## Revoking a GPG key
Revoking a key **unverifies** already signed commits. Commits that were
verified by using this key will change to an unverified state. Future commits
will also stay unverified once you revoke this key. This action should be used
in case your key has been compromised.
To revoke a GPG key:
1. On the upper right corner, click on your avatar and go to your **Settings**.
1. Navigate to the **GPG keys** tab.
1. Click on **Revoke** besides the GPG key you want to delete.
## Removing a GPG key
Removing a key **does not unverify** already signed commits. Commits that were
verified by using this key will stay verified. Only unpushed commits will stay
unverified once you remove this key. To unverify already signed commits, you need
to [revoke the associated GPG key](#revoking-a-gpg-key) from your account.
To remove a GPG key from your account:
1. On the upper right corner, click on your avatar and go to your **Settings**.
1. Navigate to the **GPG keys** tab.
1. Click on the trash icon besides the GPG key you want to delete.
[ce-9546]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9546
This document was moved to [another location](../repository/gpg_signed_commits/index.md).
doc/user/project/repository/gpg_signed_commits/index.md 0 → 100644
# Signing commits with GPG
> [Introduced][ce-9546] in GitLab 9.5.
GitLab can show whether a commit is verified or not when signed with a GPG key.
All you need to do is upload the public GPG key in your profile settings.
GPG verified tags are not supported yet.
## Getting started with GPG
Here are a few guides to get you started with GPG:
- [Git Tools - Signing Your Work](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
- [Managing OpenPGP Keys](https://riseup.net/en/security/message-security/openpgp/gpg-keys)
- [OpenPGP Best Practices](https://riseup.net/en/security/message-security/openpgp/best-practices)
- [Creating a new GPG key with subkeys](https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/) (advanced)
## How GitLab handles GPG
GitLab uses its own keyring to verify the GPG signature. It does not access any
public key server.
In order to have a commit verified on GitLab the corresponding public key needs
to be uploaded to GitLab. For a signature to be verified two prerequisites need
to be met:
1. The public key needs to be added your GitLab account
1. One of the emails in the GPG key matches your **primary** email
## Generating a GPG key
If you don't already have a GPG key, the following steps will help you get
started:
1. [Install GPG](https://www.gnupg.org/download/index.html) for your operating system
1. Generate the private/public key pair with the following command:
```sh
gpg --full-gen-key
```
This will spawn a series of questions.
1. The first question is which algorithm can be used. Select the kind you want
or press <kbd>Enter</kbd> to choose the default (RSA and RSA):
```
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
```
1. The next question is key length. We recommend to choose the highest value
which is `4096`:
```
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
```
1. Next, you need to specify the validity period of your key. This is something
subjective, and you can use the default value which is to never expire:
```
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
```
1. Confirm that the answers you gave were correct by typing `y`:
```
Is this correct? (y/N) y
```
1. Enter you real name, the email address to be associated with this key (should
match the primary email address you use in GitLab) and an optional comment
(press <kbd>Enter</kbd> to skip):
```
GnuPG needs to construct a user ID to identify your key.
Real name: Mr. Robot
Email address: mr@robot.sh
Comment:
You selected this USER-ID:
"Mr. Robot <mr@robot.sh>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
```
1. Pick a strong password when asked and type it twice to confirm.
1. Use the following command to list the private GPG key you just created:
```
gpg --list-secret-keys mr@robot.sh
```
Replace `mr@robot.sh` with the email address you entered above.
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
`0x30F2B65B9246B6CA`:
```
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid [ultimate] Mr. Robot <mr@robot.sh>
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
```
1. Export the public key of that ID (replace your key ID from the previous step):
```
gpg --armor --export 0x30F2B65B9246B6CA
```
1. Finally, copy the public key and [add it in your profile settings](#adding-a-gpg-key-to-your-account)
## Adding a GPG key to your account
>**Note:**
Once you add a key, you cannot edit it, only remove it. In case the paste
didn't work, you'll have to remove the offending key and re-add it.
You can add a GPG key in your profile's settings:
1. On the upper right corner, click on your avatar and go to your **Settings**.
![Settings dropdown](../../../profile/img/profile_settings_dropdown.png)
1. Navigate to the **GPG keys** tab and paste your _public_ key in the 'Key'
box.
![Paste GPG public key](img/profile_settings_gpg_keys_paste_pub.png)
1. Finally, click on **Add key** to add it to GitLab. You will be able to see
its fingerprint, the corresponding email address and creation date.
![GPG key single page](img/profile_settings_gpg_keys_single_key.png)
## Associating your GPG key with Git
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
your account](#adding-a-gpg-key-to-your-account), it's time to tell Git which
key to use.
1. Use the following command to list the private GPG key you just created:
```
gpg --list-secret-keys mr@robot.sh
```
Replace `mr@robot.sh` with the email address you entered above.
1. Copy the GPG key ID that starts with `sec`. In the following example, that's
`0x30F2B65B9246B6CA`:
```
sec rsa4096/0x30F2B65B9246B6CA 2017-08-18 [SC]
D5E4F29F3275DC0CDA8FFC8730F2B65B9246B6CA
uid [ultimate] Mr. Robot <mr@robot.sh>
ssb rsa4096/0xB7ABC0813E4028C0 2017-08-18 [E]
```
1. Tell Git to use that key to sign the commits:
```
git config --global user.signingkey 0x30F2B65B9246B6CA
```
Replace `0x30F2B65B9246B6CA` with your GPG key ID.
## Signing commits
After you have [created your GPG key](#generating-a-gpg-key) and [added it to
your account](#adding-a-gpg-key-to-your-account), you can start signing your
commits:
1. Commit like you used to, the only difference is the addition of the `-S` flag:
```
git commit -S -m "My commit msg"
```
1. Enter the passphrase of your GPG key when asked.
1. Push to GitLab and check that your commits [are verified](#verifying-commits).
If you don't want to type the `-S` flag every time you commit, you can tell Git
to sign your commits automatically:
```
git config --global commit.gpgsign true
```
## Verifying commits
1. Within a project or [merge request](../../merge_requests/index.md), navigate to
the **Commits** tab. Signed commits will show a badge containing either
"Verified" or "Unverified", depending on the verification status of the GPG
signature.
![Signed and unsigned commits](img/project_signed_and_unsigned_commits.png)
1. By clicking on the GPG badge, details of the signature are displayed.
![Signed commit with verified signature](img/project_signed_commit_verified_signature.png)
![Signed commit with verified signature](img/project_signed_commit_unverified_signature.png)
## Revoking a GPG key
Revoking a key **unverifies** already signed commits. Commits that were
verified by using this key will change to an unverified state. Future commits
will also stay unverified once you revoke this key. This action should be used
in case your key has been compromised.
To revoke a GPG key:
1. On the upper right corner, click on your avatar and go to your **Settings**.
1. Navigate to the **GPG keys** tab.
1. Click on **Revoke** besides the GPG key you want to delete.
## Removing a GPG key
Removing a key **does not unverify** already signed commits. Commits that were
verified by using this key will stay verified. Only unpushed commits will stay
unverified once you remove this key. To unverify already signed commits, you need
to [revoke the associated GPG key](#revoking-a-gpg-key) from your account.
To remove a GPG key from your account:
1. On the upper right corner, click on your avatar and go to your **Settings**.
1. Navigate to the **GPG keys** tab.
1. Click on the trash icon besides the GPG key you want to delete.
[ce-9546]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/9546
doc/user/project/repository/index.md
......@@ -22,7 +22,7 @@ you to [connect with GitLab via SSH](../../../ssh/README.md).
## Files
## Create and edit files
### Create and edit files
Host your codebase in GitLab repositories by pushing your files to GitLab.
You can either use the user interface (UI), or connect your local computer
......@@ -111,6 +111,8 @@ right from the UI.
- **Revert a commit:**
Easily [revert a commit](../merge_requests/revert_changes.md#reverting-a-commit)
from the UI to a selected branch.
- **Sign a commit:**
Use GPG to [sign your commits](gpg_signed_commits/index.md).
## Repository size
......
features/project/commits/user_lookup.feature deleted 100644 → 0
@project_commits
Feature: Project Commits User Lookup
Background:
Given I sign in as a user
And I own a project
And I visit my project's commits page
Scenario: I browse commit from list
Given I have user with primary email
When I click on commit link
Then I see author based on primary email
Scenario: I browse another commit from list
Given I have user with secondary email
When I click on another commit link
Then I see author based on secondary email
features/steps/project/commits/user_lookup.rb deleted 100644 → 0
class Spinach::Features::ProjectCommitsUserLookup < Spinach::FeatureSteps
include SharedAuthentication
include SharedProject
include SharedPaths
step 'I click on commit link' do
visit project_commit_path(@project, sample_commit.id)
end
step 'I click on another commit link' do
visit project_commit_path(@project, sample_commit.parent_id)
end
step 'I have user with primary email' do
user_primary
end
step 'I have user with secondary email' do
user_secondary
end
step 'I see author based on primary email' do
check_author_link(sample_commit.author_email, user_primary)
end
step 'I see author based on secondary email' do
check_author_link(sample_commit.author_email, user_secondary)
end
def check_author_link(email, user)
author_link = find('.commit-author-link')
expect(author_link['href']).to eq user_path(user)
expect(author_link['title']).to eq email
expect(find('.commit-author-name').text).to eq user.name
end
def user_primary
@user_primary ||= create(:user, email: 'dmitriy.zaporozhets@gmail.com')
end
def user_secondary
@user_secondary ||= begin
user = create(:user, email: 'dzaporozhets@example.com')
create(:email, { user: user, email: 'dmitriy.zaporozhets@gmail.com' })
user
end
end
end
lib/api/branches.rb
......@@ -130,7 +130,7 @@ module API
commit = user_project.repository.commit(branch.dereferenced_target)
destroy_conditionally!(commit, last_update_field: :authored_date) do
destroy_conditionally!(commit, last_updated: commit.authored_date) do
result = DeleteBranchService.new(user_project, current_user)
.execute(params[:branch])
......
lib/api/helpers.rb
......@@ -19,8 +19,10 @@ module API
end
end
def destroy_conditionally!(resource, last_update_field: :updated_at)
check_unmodified_since!(resource.public_send(last_update_field))
def destroy_conditionally!(resource, last_updated: nil)
last_updated ||= resource.updated_at
check_unmodified_since!(last_updated)
status 204
if block_given?
......
lib/api/tags.rb
......@@ -70,7 +70,7 @@ module API
commit = user_project.repository.commit(tag.dereferenced_target)
destroy_conditionally!(commit, last_update_field: :authored_date) do
destroy_conditionally!(commit, last_updated: commit.authored_date) do
result = ::Tags::DestroyService.new(user_project, current_user)
.execute(params[:tag_name])
......
spec/features/projects/commits/user_browses_commits_spec.rb 0 → 100644
require 'spec_helper'
describe 'User broweses commits' do
let(:user) { create(:user) }
let(:project) { create(:project, :repository, namespace: user.namespace) }
before do
project.add_master(user)
sign_in(user)
end
context 'primary email' do
it 'finds a commit by a primary email' do
user = create(:user, email: 'dmitriy.zaporozhets@gmail.com')
visit(project_commit_path(project, RepoHelpers.sample_commit.id))
check_author_link(RepoHelpers.sample_commit.author_email, user)
end
end
context 'secondary email' do
it 'finds a commit by a secondary email' do
user =
create(:user) do |user|
create(:email, { user: user, email: 'dmitriy.zaporozhets@gmail.com' })
end
visit(project_commit_path(project, RepoHelpers.sample_commit.parent_id))
check_author_link(RepoHelpers.sample_commit.author_email, user)
end
end
end
private
def check_author_link(email, author)
author_link = find('.commit-author-link')
expect(author_link['href']).to eq(user_path(author))
expect(author_link['title']).to eq(email)
expect(find('.commit-author-name').text).to eq(author.name)
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment