From a212391f0fc5e2d021ade4c0219c079e0832e18e Mon Sep 17 00:00:00 2001
From: Tim Bishop <tim@bishnet.net>
Date: Tue, 19 Sep 2017 18:57:01 +0100
Subject: [PATCH] Make GPG validation case insensitive.

In line with other changes in GitLab, make email address validation
properly case insensitive. The email address in the commit may be in
any case, so it needs downcasing to match the address stored in GitLab
for the user. Without this change the comparison fails and commits are
not marked as verified.

See #37009.
---
 app/models/gpg_key.rb                              | 2 +-
 changelogs/unreleased/fix-gpg-case-insensitive.yml | 5 +++++
 spec/models/gpg_key_spec.rb                        | 8 ++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/fix-gpg-case-insensitive.yml

diff --git a/app/models/gpg_key.rb b/app/models/gpg_key.rb
index 44deae4234b..54bd5b68777 100644
--- a/app/models/gpg_key.rb
+++ b/app/models/gpg_key.rb
@@ -73,7 +73,7 @@ class GpgKey < ActiveRecord::Base
   end
 
   def verified_and_belongs_to_email?(email)
-    emails_with_verified_status.fetch(email, false)
+    emails_with_verified_status.fetch(email.downcase, false)
   end
 
   def update_invalid_gpg_signatures
diff --git a/changelogs/unreleased/fix-gpg-case-insensitive.yml b/changelogs/unreleased/fix-gpg-case-insensitive.yml
new file mode 100644
index 00000000000..744ec00a4a8
--- /dev/null
+++ b/changelogs/unreleased/fix-gpg-case-insensitive.yml
@@ -0,0 +1,5 @@
+---
+title: Compare email addresses case insensitively when verifying GPG signatures
+merge_request: 14376
+author: Tim Bishop
+type: fixed
diff --git a/spec/models/gpg_key_spec.rb b/spec/models/gpg_key_spec.rb
index fadc8bfeb61..4a4d079b721 100644
--- a/spec/models/gpg_key_spec.rb
+++ b/spec/models/gpg_key_spec.rb
@@ -138,6 +138,14 @@ describe GpgKey do
       expect(gpg_key.verified?).to be_truthy
       expect(gpg_key.verified_and_belongs_to_email?('bette.cartwright@example.com')).to be_truthy
     end
+
+    it 'returns true if one of the email addresses in the key belongs to the user and case-insensitively matches the provided email' do
+      user = create :user, email: 'bette.cartwright@example.com'
+      gpg_key = create :gpg_key, key: GpgHelpers::User2.public_key, user: user
+
+      expect(gpg_key.verified?).to be_truthy
+      expect(gpg_key.verified_and_belongs_to_email?('Bette.Cartwright@example.com')).to be_truthy
+    end
   end
 
   describe '#revoke' do