From 582c8c83f95eace90b17c8b1ec6ee3199bcaa8f4 Mon Sep 17 00:00:00 2001
From: Hendrik Meyer <t4cc0re@gitlab.com>
Date: Wed, 8 Jul 2020 13:59:59 +0200
Subject: [PATCH] ignore revoked or invalid GPG uids on key import

This MR updates Gitlab::Gpg::user_infos_from_key to ignore uids, that have been revoked. This is desired, because otherwise it leaves stale email addresses up for validation in the GPG Key settings within GitLab.

Existing keys are not touched. To remove stale emails/uids a user needs to delete the key from GitLab, and reimport.
---
 lib/gitlab/gpg.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/gitlab/gpg.rb b/lib/gitlab/gpg.rb
index 8166bef4510f48..be0bd277a2c9f1 100644
--- a/lib/gitlab/gpg.rb
+++ b/lib/gitlab/gpg.rb
@@ -61,6 +61,9 @@ def user_infos_from_key(key)
 
         GPGME::Key.find(:public, fingerprints).flat_map do |raw_key|
           raw_key.uids.each_with_object([]) do |uid, arr|
+            # Skip revoked or invalid uids. This prevents those from being matched against validated email addresses.
+            next if uid.revoked? || uid.invalid?
+
             name = uid.name.force_encoding('UTF-8')
             email = uid.email.force_encoding('UTF-8')
             arr << { name: name, email: email.downcase } if name.valid_encoding? && email.valid_encoding?
-- 
GitLab