On Thu, Aug 09, 2018 at 11:40:27AM -0700, Junio C Hamano wrote:
> -- >8 --
> Subject: [PATCH] gpg-interface: propagate exit status from gpg back to the callers
> 
> When gpg-interface API unified support for signature verification
> codepaths for signed tags and signed commits in mid 2015 at around
> v2.6.0-rc0~114, we accidentally loosened the GPG signature
> verification.
> 
> Before that change, signed commits were verified by looking for
> "G"ood signature from GPG, while ignoring the exit status of "gpg
> --verify" process, while signed tags were verified by simply passing
> the exit status of "gpg --verify" through.  The unified code we
> currently have ignores the exit status of "gpg --verify" and returns
> successful verification when the signature matches an unexpired key
> regardless of the trust placed on the key (i.e. in addition to "G"ood
> ones, we accept "U"ntrusted ones).
> 
> Make these commands signal failure with their exit status when
> underlying "gpg --verify" (or the custom command specified by
> "gpg.program" configuration variable) does so.  This essentially
> changes their behaviour in a backward incompatible way to reject
> signatures that have been made with untrusted keys even if they
> correctly verify, as that is how "gpg --verify" behaves.
> 
> Note that the code still overrides a zero exit status obtained from
> "gpg" (or gpg.program) if the output does not say the signature is
> good or computes correctly but made with untrusted keys, to catch
> a poorly written wrapper around "gpg" the user may give us.
> 
> We could exclude "U"ntrusted support from this fallback code, but
> that would be making two backward incompatible changes in a single
> commit, so let's avoid that for now.  A follow-up change could do so
> if desired.

This looks great to me.  Thanks.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204