From: Fabian Stelzer <fs@gigacodes.de>
To: git@vger.kernel.org
Cc: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Junio C Hamano" <gitster@pobox.com>,
"SZEDER Gábor" <szeder.dev@gmail.com>,
"Fabian Stelzer" <fs@gigacodes.de>
Subject: [PATCH v5 4/8] ssh signing: make git log verify key lifetime
Date: Wed, 8 Dec 2021 17:33:31 +0100 [thread overview]
Message-ID: <20211208163335.1231795-5-fs@gigacodes.de> (raw)
In-Reply-To: <20211208163335.1231795-1-fs@gigacodes.de>
Set the payload_type for check_signature() when calling git log.
Implements the same tests as for verify-commit.
Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
---
log-tree.c | 2 ++
t/t4202-log.sh | 43 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/log-tree.c b/log-tree.c
index a46cf60e1e..d3e7a40b64 100644
--- a/log-tree.c
+++ b/log-tree.c
@@ -513,6 +513,7 @@ static void show_signature(struct rev_info *opt, struct commit *commit)
if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0)
goto out;
+ sigc.payload_type = SIGNATURE_PAYLOAD_COMMIT;
sigc.payload = strbuf_detach(&payload, &sigc.payload_len);
status = check_signature(&sigc, signature.buf, signature.len);
if (status && !sigc.output)
@@ -583,6 +584,7 @@ static int show_one_mergetag(struct commit *commit,
status = -1;
if (parse_signature(extra->value, extra->len, &payload, &signature)) {
/* could have a good signature */
+ sigc.payload_type = SIGNATURE_PAYLOAD_TAG;
sigc.payload = strbuf_detach(&payload, &sigc.payload_len);
status = check_signature(&sigc, signature.buf, signature.len);
if (sigc.output)
diff --git a/t/t4202-log.sh b/t/t4202-log.sh
index 7884e3d46b..ba855ec893 100755
--- a/t/t4202-log.sh
+++ b/t/t4202-log.sh
@@ -1677,6 +1677,24 @@ test_expect_success GPGSSH 'setup sshkey signed branch' '
git commit -S -m signed_commit
'
+test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed commits with keys having defined lifetimes' '
+ test_config gpg.format ssh &&
+ touch file &&
+ git add file &&
+
+ echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" &&
+ git tag expired-signed &&
+
+ echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" &&
+ git tag notyetvalid-signed &&
+
+ echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" &&
+ git tag timeboxedvalid-signed &&
+
+ echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" &&
+ git tag timeboxedinvalid-signed
+'
+
test_expect_success GPGSM 'log x509 fingerprint' '
echo "F8BF62E0693D0694816377099909C779FA23FD65 | " >expect &&
git log -n1 --format="%GF | %GP" signed-x509 >actual &&
@@ -1714,6 +1732,31 @@ test_expect_success GPGSSH 'log --graph --show-signature ssh' '
grep "${GOOD_SIGNATURE_TRUSTED}" actual
'
+test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on expired signature key' '
+ test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
+ git log --graph --show-signature -n1 expired-signed >actual &&
+ ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
+'
+
+test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on not yet valid signature key' '
+ test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
+ git log --graph --show-signature -n1 notyetvalid-signed >actual &&
+ ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
+'
+
+test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log show success with commit date and key validity matching' '
+ test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
+ git log --graph --show-signature -n1 timeboxedvalid-signed >actual &&
+ grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
+ ! grep "${GPGSSH_BAD_SIGNATURE}" actual
+'
+
+test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure with commit date outside of key validity' '
+ test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
+ git log --graph --show-signature -n1 timeboxedinvalid-signed >actual &&
+ ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
+'
+
test_expect_success GPG 'log --graph --show-signature for merged tag' '
test_when_finished "git reset --hard && git checkout main" &&
git checkout -b plain main &&
--
2.31.1
next prev parent reply other threads:[~2021-12-08 16:34 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 8:06 [PATCH v2 0/6] ssh signing: verify key lifetime Fabian Stelzer
2021-10-27 8:06 ` [PATCH v2 1/6] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-10-27 8:06 ` [PATCH v2 2/6] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-10-27 8:06 ` [PATCH v2 3/6] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-10-27 20:30 ` Junio C Hamano
2021-10-28 8:01 ` Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 0/7] ssh signing: verify " Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 1/7] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 2/7] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 3/7] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 4/7] ssh signing: make git log verify " Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 5/7] ssh signing: make verify-tag consider " Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 6/7] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-11-17 9:35 ` [PATCH v3 7/7] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-11-19 6:15 ` Junio C Hamano
2021-11-30 14:11 ` [PATCH v4 0/7] ssh signing: verify key lifetime Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 1/7] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 2/7] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 3/7] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 4/7] ssh signing: make git log verify " Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 5/7] ssh signing: make verify-tag consider " Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 6/7] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-12-05 19:23 ` SZEDER Gábor
2021-12-08 15:59 ` Fabian Stelzer
2021-11-30 14:11 ` [PATCH v4 7/7] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-12-02 0:18 ` Junio C Hamano
2021-12-02 9:31 ` Fabian Stelzer
2021-12-02 17:10 ` Junio C Hamano
2021-12-03 11:07 ` Ævar Arnfjörð Bjarmason
2021-12-03 12:20 ` Fabian Stelzer
2021-12-03 18:46 ` Junio C Hamano
2021-12-08 16:33 ` [PATCH v5 0/8] ssh signing: verify key lifetime Fabian Stelzer
2021-12-08 16:33 ` [PATCH v5 1/8] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-12-08 16:33 ` [PATCH v5 2/8] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-12-08 16:33 ` [PATCH v5 3/8] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-12-08 16:33 ` Fabian Stelzer [this message]
2021-12-08 16:33 ` [PATCH v5 5/8] ssh signing: make verify-tag " Fabian Stelzer
2021-12-08 16:33 ` [PATCH v5 6/8] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-12-08 16:33 ` [PATCH v5 7/8] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-12-08 16:33 ` [PATCH v5 8/8] t/fmt-merge-msg: make gpg/ssh tests more specific Fabian Stelzer
2021-12-08 23:20 ` Junio C Hamano
2021-12-09 8:36 ` Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 0/9] ssh signing: verify key lifetime Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 1/9] t/fmt-merge-msg: do not redirect stderr Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 2/9] t/fmt-merge-msg: make gpgssh tests more specific Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 3/9] ssh signing: use sigc struct to pass payload Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 4/9] ssh signing: add key lifetime test prereqs Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 5/9] ssh signing: make verify-commit consider key lifetime Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 6/9] ssh signing: make git log verify " Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 7/9] ssh signing: make verify-tag consider " Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 8/9] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-12-09 8:52 ` [PATCH v6 9/9] ssh signing: verify ssh-keygen in test prereq Fabian Stelzer
2021-10-27 8:06 ` [PATCH v2 4/6] ssh signing: make git log verify key lifetime Fabian Stelzer
2021-10-27 8:06 ` [PATCH v2 5/6] ssh signing: make verify-tag consider " Fabian Stelzer
2021-10-27 8:06 ` [PATCH v2 6/6] ssh signing: make fmt-merge-msg " Fabian Stelzer
2021-11-03 19:27 ` [PATCH v2 0/6] ssh signing: verify " Adam Dinwoodie
2021-11-03 19:45 ` Fabian Stelzer
2021-11-04 16:31 ` Adam Dinwoodie
2021-11-04 16:54 ` Fabian Stelzer
2021-11-04 17:22 ` Adam Dinwoodie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211208163335.1231795-5-fs@gigacodes.de \
--to=fs@gigacodes.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=szeder.dev@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).