SSH commit signatures from -sk keys with no-touch-required option are marked 'Unverified'

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

GitLab shows commits signed with an -sk SSH key with the no-touch-required option as unverified, which doesn't match Git's behaviour.

Steps to reproduce

1. Create an appropriate key: ssh-keygen -t ecdsa-sk -O no-touch-required -f keys/ecdsa-sk
2. Add the key to your GitLab user profile with 'Signing' as its usage type
3. Create a repo and create a signed test commit: git -c gpg.format=ssh -c user.signingkey=keys/ecdsa-sk commit -S --allow-empty -m "test"
4. Push to GitLab and observe that the commit is labeled as unverified
5. Follow the verify-commits-locally docs to confirm that Git instead shows the keys as Good/verified.

Example Project

GitLab - link:

Git output - link:

 commit 9397ac081490f4fd20e63cdf766a1d863b05dddc
+Good "git" signature for dexter.c.dopping@gmail.com with ED25519-SK key SHA256:ZIT379QiWAJlivANmj4w5qDB90yLGADfsu7d/9X58Kc
 Author: Dexter Castor Döpping <dexter.c.dopping@gmail.com>
 Date:   Wed May 21 20:25:57 2025 +0200
     ed25519-sk-with-touch
 commit 0b5d45d24c0ebec46bed5674fd4d29db7febaf93
+Good "git" signature for dexter.c.dopping@gmail.com with ECDSA-SK key SHA256:7RTOo03F3mf0ZlF1bWCHyCD2bDfTN4UzxpMqqQpqnRI
 Author: Dexter Castor Döpping <dexter.c.dopping@gmail.com>
 Date:   Wed May 21 20:25:54 2025 +0200
     ecdsa-sk-with-touch
 commit ebfe5208a73bdb7ade0e8c252f38eb3b06e81a84
 Author: Dexter Castor Döpping <dexter.c.dopping@gmail.com>
 Date:   Wed May 21 17:22:59 2025 +0200
     Add verify signature CI job
 commit 70a6544f200d908f5e643982a3656907e8c0c1c8
+Good "git" signature for dexter.c.dopping@gmail.com with ED25519-SK key SHA256:ho8vNtcOcp1TP46yETaUqRIzUKK8WMzqHHWrNRJuXfo
 Author: Dexter Castor Döpping <dexter.c.dopping@gmail.com>
 Date:   Wed May 21 17:18:54 2025 +0200
     ed25519-sk
 commit 735d7c7e1ab8cd408ea344a5a7d632c3e1297dd3
+Good "git" signature for dexter.c.dopping@gmail.com with ECDSA-SK key SHA256:5gGXZyV5oZpFnpB8cV+Bgnut7U2FJR9uRkjSeR+M2vs
 Author: Dexter Castor Döpping <dexter.c.dopping@gmail.com>
 Date:   Wed May 21 17:18:36 2025 +0200
     ecdsa-sk

What is the current bug behavior?

Signatures from -sk keys with the -O no-touch-required option are shown as 'Unverified' in GitLab.

What is the expected correct behavior?

Since Git says that the signatures are valid, I think GitLab should display these as 'Verified'.

Possible fixes

I believe this stems from defaults inside the ssh_data package:

• security.rb DEFAULT_SK_VERIFY_OPTS:user_presence_required = true
• sked25519.rb

GitLab could pass in arguments to the verify function to allow signatures from keys that have the no-touch-required option set. But this can only be done for -sk keys

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ssh/signature.rb?ref_type=947c12ea10171f95bb82835e4d4b0dc284545e81#L78