From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Fabian Stelzer <fs@gigacodes.de>
Cc: Fabian Stelzer via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, Han-Wen Nienhuys <hanwen@google.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
"Randall S. Becker" <rsbecker@nexbridge.com>,
Bagas Sanjaya <bagasdotme@gmail.com>,
Hans Jerry Illikainen <hji@dyntopia.com>,
Felipe Contreras <felipe.contreras@gmail.com>,
Eric Sunshine <sunshine@sunshineco.com>,
Gwyneth Morgan <gwymor@tilde.club>,
Jonathan Tan <jonathantanmy@google.com>,
Josh Steadmon <steadmon@google.com>
Subject: Re: t7510-signed-commit.sh hangs on old gpg, regression in 1bfb57f642d (was: [PATCH v8 9/9] ssh signing: test that gpg fails for unknown keys)
Date: Sun, 26 Dec 2021 23:53:47 +0100 [thread overview]
Message-ID: <211227.86h7avezrv.gmgdl@evledraar.gmail.com> (raw)
In-Reply-To: <20211222101326.fwl3wphr3ev6c7wt@fs>
On Wed, Dec 22 2021, Fabian Stelzer wrote:
> On 22.12.2021 04:18, Ævar Arnfjörð Bjarmason wrote:
>>
>>On Fri, Sep 10 2021, Fabian Stelzer via GitGitGadget wrote:
>>
>>> From: Fabian Stelzer <fs@gigacodes.de>
>>>
>>> Test that verify-commit/tag will fail when a gpg key is completely
>>> unknown. To do this we have to generate a key, use it for a signature
>>> and delete it from our keyring aferwards completely.
>>>
>>> Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
>>> +
>>> + cat >keydetails <<-\EOF &&
>>> + Key-Type: RSA
>>> + Key-Length: 2048
>>> + Subkey-Type: RSA
>>> + Subkey-Length: 2048
>>> + Name-Real: Unknown User
>>> + Name-Email: unknown@git.com
>>> + Expire-Date: 0
>>> + %no-ask-passphrase
>>> + %no-protection
>>> + EOF
>>> + gpg --batch --gen-key keydetails &&
>>>
>>The t7510-signed-commit.sh script hangs on startup with this change, and
>>with -vx we show:
>>
>> [...]
>> ++ git tag twelfth-signed-alt 17f06d503ee50df92746c17f6cced6feb5940cf5
>> ++ cat
>> ++ gpg --batch --gen-key keydetails
>> gpg: skipping control `%no-protection' ()
>>
>>This is on a CentOS 7.9 box on the GCC Farm:
>>
>> [avar@gcc135 t]$ uname -a ; gpg --version
>> Linux gcc135.osuosl.org 4.18.0-80.7.2.el7.ppc64le #1 SMP Thu Sep 12 15:45:05 UTC 2019 ppc64le ppc64le ppc64le GNU/Linux
>> gpg (GnuPG) 2.0.22
>> libgcrypt 1.5.3
>> Copyright (C) 2013 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.
>>
>> Home: ~/.gnupg
>> Supported algorithms:
>> Pubkey: RSA, ?, ?, ELG, DSA
>> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>> CAMELLIA128, CAMELLIA192, CAMELLIA256
>> Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>> Compression: Uncompressed, ZIP, ZLIB, BZIP2
>
> Hm. I have an identical centos 7.9 installation (same
> versions/features) and the key is generated without issues. Does the
> VM maybe have not enough entropy for generating a gpg key?
> Otherwise we could of course pre-generate the key and commit it. I'm
> usually not a fan of this since over time it can become unclear how it
> was generated or if the committed version still matches what would be
> generated today.
> But of course I don't want to slow down CI with rsa key generation stuff :/
> If missing entropy is the problem, then maybe CI could benefit from
> something like haveged in general (other tests might want more entropy
> too).
Late reply. It's not a VM, but yes. I've confirmed that it's due to
/dev/random hanging.
I don't understand why we need to generate a key at all.
It looks like your 1bfb57f642d (ssh signing: test that gpg fails for
unknown keys, 2021-09-10) is just trying to test the case where we sign
with a key, and then don't have that key anymore.
The below POC patch seems to work just as well, and will succeed with:
./t7510-signed-commit.sh --run=1,3
Of course a lot of other tests now fail, because they relied on the
discord@example.net key.
But that seems easily solved by just moving this test to its own file,
or deleting/re-importing the key for just that test or whatever. If we
truly need yet another key why are we making it on the fly instead of
adding it to t/lib-gpg/keyring.gpg like the others?
diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
index 9882b69ae29..eec2a045cbc 100755
--- a/t/t7510-signed-commit.sh
+++ b/t/t7510-signed-commit.sh
@@ -73,23 +73,11 @@ test_expect_success GPG 'create signed commits' '
test_line_count = 1 oid &&
git tag twelfth-signed-alt $(cat oid) &&
- cat >keydetails <<-\EOF &&
- Key-Type: RSA
- Key-Length: 2048
- Subkey-Type: RSA
- Subkey-Length: 2048
- Name-Real: Unknown User
- Name-Email: unknown@git.com
- Expire-Date: 0
- %no-ask-passphrase
- %no-protection
- EOF
- gpg --batch --gen-key keydetails &&
- echo 13 >file && git commit -a -S"unknown@git.com" -m thirteenth &&
+ echo 13 >file && git commit -a -S"discord@example.net" -m thirteenth &&
git tag thirteenth-signed &&
- DELETE_FINGERPRINT=$(gpg -K --with-colons --fingerprint --batch unknown@git.com | grep "^fpr" | head -n 1 | awk -F ":" "{print \$10;}") &&
+ DELETE_FINGERPRINT=$(gpg -K --with-colons --fingerprint --batch discord@example.net | grep "^fpr" | head -n 1 | awk -F ":" "{print \$10;}") &&
gpg --batch --yes --delete-secret-keys $DELETE_FINGERPRINT &&
- gpg --batch --yes --delete-keys unknown@git.com
+ gpg --batch --yes --delete-keys discord@example.net
'
test_expect_success GPG 'verify and show signatures' '
next prev parent reply other threads:[~2021-12-26 23:02 UTC|newest]
Thread overview: 153+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 8:19 [PATCH] Add commit & tag signing/verification via SSH keys using ssh-keygen Fabian Stelzer via GitGitGadget
2021-07-06 10:07 ` Han-Wen Nienhuys
2021-07-06 11:23 ` Fabian Stelzer
2021-07-06 14:44 ` brian m. carlson
2021-07-06 15:33 ` Fabian Stelzer
2021-07-06 15:04 ` Junio C Hamano
2021-07-06 15:45 ` Fabian Stelzer
2021-07-06 17:55 ` Junio C Hamano
2021-07-06 19:39 ` Randall S. Becker
2021-07-07 6:26 ` Bagas Sanjaya
2021-07-07 8:48 ` Fabian Stelzer
2021-07-12 12:19 ` [PATCH v2] Add commit, tag & push " Fabian Stelzer via GitGitGadget
2021-07-12 16:55 ` Ævar Arnfjörð Bjarmason
2021-07-12 20:35 ` Fabian Stelzer
2021-07-12 21:16 ` Felipe Contreras
2021-07-14 12:10 ` [PATCH v3 0/9] RFC: Add commit & tag " Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 1/9] Add commit, tag & push signing via SSH keys Fabian Stelzer via GitGitGadget
2021-07-14 18:19 ` Junio C Hamano
2021-07-14 23:57 ` Eric Sunshine
2021-07-15 8:20 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 2/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-14 20:07 ` Junio C Hamano
2021-07-15 8:48 ` Fabian Stelzer
2021-07-15 10:43 ` Bagas Sanjaya
2021-07-15 16:29 ` Junio C Hamano
2021-07-14 12:10 ` [PATCH v3 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-14 20:20 ` Junio C Hamano
2021-07-15 7:49 ` Han-Wen Nienhuys
2021-07-15 8:06 ` Fabian Stelzer
2021-07-15 8:13 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 4/9] ssh signing: sign using either gpg or ssh keys Fabian Stelzer via GitGitGadget
2021-07-14 20:32 ` Junio C Hamano
2021-07-15 8:28 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 5/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 6/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-16 0:07 ` Gwyneth Morgan
2021-07-16 7:00 ` Fabian Stelzer
2021-07-14 12:10 ` [PATCH v3 7/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 8/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-14 12:10 ` [PATCH v3 9/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-07-19 23:07 ` Junio C Hamano
2021-07-19 13:33 ` [PATCH v4 2/9] ssh signing: add ssh signature format and signing using ssh keys Fabian Stelzer via GitGitGadget
2021-07-19 23:53 ` Junio C Hamano
2021-07-20 12:26 ` Fabian Stelzer
2021-07-19 13:33 ` [PATCH v4 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 4/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 5/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 6/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 8/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-19 13:33 ` [PATCH v4 9/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-20 0:38 ` [PATCH v4 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Junio C Hamano
2021-07-27 13:15 ` [PATCH v5 " Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 2/9] ssh signing: add ssh signature format and signing using ssh keys Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 4/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 5/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 6/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 8/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-27 13:15 ` [PATCH v5 9/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-07-28 22:32 ` Jonathan Tan
2021-07-29 0:58 ` Junio C Hamano
2021-07-29 7:44 ` Fabian Stelzer
2021-07-29 8:43 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 2/9] ssh signing: add ssh signature format and signing using ssh keys Fabian Stelzer via GitGitGadget
2021-07-28 22:45 ` Jonathan Tan
2021-07-29 1:01 ` Junio C Hamano
2021-07-29 11:01 ` Fabian Stelzer
2021-07-29 19:09 ` Josh Steadmon
2021-07-29 21:25 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 3/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-07-28 21:29 ` Junio C Hamano
2021-07-28 22:48 ` Jonathan Tan
2021-07-29 8:59 ` Fabian Stelzer
2021-07-29 19:09 ` Josh Steadmon
2021-07-29 19:56 ` Junio C Hamano
2021-07-29 21:21 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 4/9] ssh signing: provide a textual representation of the signing key Fabian Stelzer via GitGitGadget
2021-07-28 21:34 ` Junio C Hamano
2021-07-29 8:21 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 5/9] ssh signing: parse ssh-keygen output and verify signatures Fabian Stelzer via GitGitGadget
2021-07-28 21:55 ` Junio C Hamano
2021-07-29 9:12 ` Fabian Stelzer
2021-07-29 20:43 ` Junio C Hamano
2021-07-28 23:04 ` Jonathan Tan
2021-07-29 9:48 ` Fabian Stelzer
2021-07-29 13:52 ` Fabian Stelzer
2021-08-03 7:43 ` Fabian Stelzer
2021-08-03 9:33 ` Fabian Stelzer
2021-07-29 20:46 ` Junio C Hamano
2021-07-29 21:01 ` Randall S. Becker
2021-07-29 21:12 ` Fabian Stelzer
2021-07-29 21:25 ` Randall S. Becker
2021-07-29 21:28 ` Fabian Stelzer
2021-07-29 22:28 ` Randall S. Becker
2021-07-30 8:17 ` Fabian Stelzer
2021-07-30 14:26 ` Randall S. Becker
2021-07-30 14:32 ` Fabian Stelzer
2021-07-30 15:05 ` Randall S. Becker
2021-07-28 19:36 ` [PATCH v6 6/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-07-29 19:09 ` Josh Steadmon
2021-07-29 19:57 ` Junio C Hamano
2021-07-30 7:32 ` Fabian Stelzer
2021-07-28 19:36 ` [PATCH v6 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 8/9] ssh signing: add more tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-07-28 19:36 ` [PATCH v6 9/9] ssh signing: add documentation Fabian Stelzer via GitGitGadget
2021-07-29 8:19 ` [PATCH v6 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Bagas Sanjaya
2021-07-29 11:03 ` Fabian Stelzer
2021-08-03 13:45 ` [PATCH v7 " Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 2/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 3/9] ssh signing: add ssh key format and signing code Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 4/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 5/9] ssh signing: provide a textual signing_key_id Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 6/9] ssh signing: verify signatures using ssh-keygen Fabian Stelzer via GitGitGadget
2021-08-03 23:47 ` Junio C Hamano
2021-08-04 9:01 ` Fabian Stelzer
2021-08-04 17:32 ` Junio C Hamano
2021-08-03 13:45 ` [PATCH v7 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 8/9] ssh signing: tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-08-03 13:45 ` [PATCH v7 9/9] ssh signing: test that gpg fails for unkown keys Fabian Stelzer via GitGitGadget
2021-08-29 22:15 ` [PATCH v7 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Junio C Hamano
2021-08-29 23:56 ` Gwyneth Morgan
2021-08-30 10:35 ` Fabian Stelzer
2021-09-07 17:35 ` Junio C Hamano
2021-09-10 8:03 ` Fabian Stelzer
2021-09-10 18:44 ` Junio C Hamano
2021-09-10 19:49 ` Fabian Stelzer
2021-09-10 20:20 ` Carlo Arenas
2021-09-10 20:07 ` [PATCH v8 " Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 1/9] ssh signing: preliminary refactoring and clean-up Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 2/9] ssh signing: add test prereqs Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 3/9] ssh signing: add ssh key format and signing code Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 4/9] ssh signing: retrieve a default key from ssh-agent Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 5/9] ssh signing: provide a textual signing_key_id Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 6/9] ssh signing: verify signatures using ssh-keygen Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 7/9] ssh signing: duplicate t7510 tests for commits Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 8/9] ssh signing: tests for logs, tags & push certs Fabian Stelzer via GitGitGadget
2021-09-10 20:07 ` [PATCH v8 9/9] ssh signing: test that gpg fails for unknown keys Fabian Stelzer via GitGitGadget
2021-12-22 3:18 ` t7510-signed-commit.sh hangs on old gpg, regression in 1bfb57f642d (was: [PATCH v8 9/9] ssh signing: test that gpg fails for unknown keys) Ævar Arnfjörð Bjarmason
2021-12-22 10:13 ` Fabian Stelzer
2021-12-22 15:58 ` brian m. carlson
2021-12-26 22:53 ` Ævar Arnfjörð Bjarmason [this message]
2021-12-30 11:10 ` Fabian Stelzer
2021-09-10 20:23 ` [PATCH v8 0/9] ssh signing: Add commit & tag signing/verification via SSH keys using ssh-keygen Junio C Hamano
2021-09-10 20:48 ` Fabian Stelzer
2021-09-10 21:01 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=211227.86h7avezrv.gmgdl@evledraar.gmail.com \
--to=avarab@gmail.com \
--cc=bagasdotme@gmail.com \
--cc=felipe.contreras@gmail.com \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gwymor@tilde.club \
--cc=hanwen@google.com \
--cc=hji@dyntopia.com \
--cc=jonathantanmy@google.com \
--cc=rsbecker@nexbridge.com \
--cc=sandals@crustytoothpaste.net \
--cc=steadmon@google.com \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).