blob 848a8233025c8192a0ad9726519742aee4603f42 7663 bytes (raw)
name: t/t7510-signed-commit.sh # note: path name is non-authoritative(*)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
| | #!/bin/sh
test_description='signed commit tests'
. ./test-lib.sh
GNUPGHOME_NOT_USED=$GNUPGHOME
. "$TEST_DIRECTORY/lib-gpg.sh"
test_expect_success 'create fake signing program' '
create_fake_signer
'
test_expect_success GPG 'create signed commits' '
test_when_finished "test_unconfig commit.gpgsign" &&
echo 1 >file && git add file &&
test_tick && git commit -S -m initial &&
git tag initial &&
git branch side &&
echo 2 >file && test_tick && git commit -a -S -m second &&
git tag second &&
git checkout side &&
echo 3 >elif && git add elif &&
test_tick && git commit -m "third on side" &&
git checkout master &&
test_tick && git merge -S side &&
git tag merge &&
echo 4 >file && test_tick && git commit -a -m "fourth unsigned" &&
git tag fourth-unsigned &&
test_tick && git commit --amend -S -m "fourth signed" &&
git tag fourth-signed &&
git config commit.gpgsign true &&
echo 5 >file && test_tick && git commit -a -m "fifth signed" &&
git tag fifth-signed &&
git config commit.gpgsign false &&
echo 6 >file && test_tick && git commit -a -m "sixth" &&
git tag sixth-unsigned &&
git config commit.gpgsign true &&
echo 7 >file && test_tick && git commit -a -m "seventh" --no-gpg-sign &&
git tag seventh-unsigned &&
test_tick && git rebase -f HEAD^^ && git tag sixth-signed HEAD^ &&
git tag seventh-signed &&
echo 8 >file && test_tick && git commit -a -m eighth -SB7227189 &&
git tag eighth-signed-alt &&
# commit.gpgsign is still on but this must not be signed
git tag ninth-unsigned $(echo 9 | git commit-tree HEAD^{tree}) &&
# explicit -S of course must sign.
git tag tenth-signed $(echo 9 | git commit-tree -S HEAD^{tree}) &&
git config signingtool.fake.program "$TRASH_DIRECTORY/fake-signer" &&
git config signingtool.fake.pemtype "FAKE SIGNER SIGNATURE" &&
echo 11 >file && test_tick && git commit -a -m eleventh &&
git tag eleventh-pgp-signed &&
git cat-file -p eleventh-pgp-signed >actual &&
grep "PGP SIGNATURE" actual &&
git config gpg.program "$TRASH_DIRECTORY/fake-signer" &&
echo 12 >file && test_tick && git commit -a -m twelfth && test_unconfig gpg.program &&
git tag twelfth-fake-signed &&
git cat-file -p twelfth-fake-signed >actual &&
grep "FAKE SIGNER SIGNATURE" actual &&
git config signingtool.default fake &&
echo 13 >file && test_tick && git commit -a -m thirteenth && test_unconfig signingtool.default &&
git tag thirteenth-fake-signed &&
git cat-file -p thirteenth-fake-signed >actual &&
grep "FAKE SIGNER SIGNATURE" actual
'
test_expect_success GPG 'verify and show signatures' '
(
for commit in initial second merge fourth-signed \
fifth-signed sixth-signed seventh-signed tenth-signed \
eleventh-pgp-signed twelfth-fake-signed thirteenth-fake-signed
do
git verify-commit $commit &&
git show --pretty=short --show-signature $commit >actual &&
grep "Good signature from" actual &&
! grep "BAD signature from" actual &&
echo $commit OK || exit 1
done
) &&
(
for commit in merge^2 fourth-unsigned sixth-unsigned \
seventh-unsigned ninth-unsigned
do
test_must_fail git verify-commit $commit &&
git show --pretty=short --show-signature $commit >actual &&
! grep "Good signature from" actual &&
! grep "BAD signature from" actual &&
echo $commit OK || exit 1
done
) &&
(
for commit in eighth-signed-alt
do
git show --pretty=short --show-signature $commit >actual &&
grep "Good signature from" actual &&
! grep "BAD signature from" actual &&
grep "not certified" actual &&
echo $commit OK || exit 1
done
)
'
test_expect_success GPG 'verify-commit exits success on untrusted signature' '
git verify-commit eighth-signed-alt 2>actual &&
grep "Good signature from" actual &&
! grep "BAD signature from" actual &&
grep "not certified" actual
'
test_expect_success GPG 'verify signatures with --raw' '
(
for commit in initial second merge fourth-signed fifth-signed sixth-signed \
seventh-signed eleventh-pgp-signed twelfth-fake-signed \
thirteenth-fake-signed
do
git verify-commit --raw $commit 2>actual &&
grep "GOODSIG" actual &&
! grep "BADSIG" actual &&
echo $commit OK || exit 1
done
) &&
(
for commit in merge^2 fourth-unsigned sixth-unsigned seventh-unsigned
do
test_must_fail git verify-commit --raw $commit 2>actual &&
! grep "GOODSIG" actual &&
! grep "BADSIG" actual &&
echo $commit OK || exit 1
done
) &&
(
for commit in eighth-signed-alt
do
git verify-commit --raw $commit 2>actual &&
grep "GOODSIG" actual &&
! grep "BADSIG" actual &&
grep "TRUST_UNDEFINED" actual &&
echo $commit OK || exit 1
done
)
'
test_expect_success GPG 'show signed commit with signature' '
git show -s initial >commit &&
git show -s --show-signature initial >show &&
git verify-commit -v initial >verify.1 2>verify.2 &&
git cat-file commit initial >cat &&
grep -v -e "gpg: " -e "Warning: " show >show.commit &&
grep -e "gpg: " -e "Warning: " show >show.gpg &&
grep -v "^ " cat | grep -v "^gpgsig " >cat.commit &&
test_cmp show.commit commit &&
test_cmp show.gpg verify.2 &&
test_cmp cat.commit verify.1
'
test_expect_success GPG 'detect fudged signature' '
git cat-file commit seventh-signed >raw &&
sed -e "s/seventh/7th forged/" raw >forged1 &&
git hash-object -w -t commit forged1 >forged1.commit &&
! git verify-commit $(cat forged1.commit) &&
git show --pretty=short --show-signature $(cat forged1.commit) >actual1 &&
grep "BAD signature from" actual1 &&
! grep "Good signature from" actual1
'
test_expect_success GPG 'detect fudged signature with NUL' '
git cat-file commit seventh-signed >raw &&
cat raw >forged2 &&
echo Qwik | tr "Q" "\000" >>forged2 &&
git hash-object -w -t commit forged2 >forged2.commit &&
! git verify-commit $(cat forged2.commit) &&
git show --pretty=short --show-signature $(cat forged2.commit) >actual2 &&
grep "BAD signature from" actual2 &&
! grep "Good signature from" actual2
'
test_expect_success GPG 'amending already signed commit' '
git checkout fourth-signed^0 &&
git commit --amend -S --no-edit &&
git verify-commit HEAD &&
git show -s --show-signature HEAD >actual &&
grep "Good signature from" actual &&
! grep "BAD signature from" actual
'
test_expect_success GPG 'show good signature with custom format' '
cat >expect <<-\EOF &&
G
13B6F51ECDDE430D
C O Mitter <committer@example.com>
EOF
git log -1 --format="%G?%n%GK%n%GS" sixth-signed >actual &&
test_cmp expect actual
'
test_expect_success GPG 'show bad signature with custom format' '
cat >expect <<-\EOF &&
B
13B6F51ECDDE430D
C O Mitter <committer@example.com>
EOF
git log -1 --format="%G?%n%GK%n%GS" $(cat forged1.commit) >actual &&
test_cmp expect actual
'
test_expect_success GPG 'show untrusted signature with custom format' '
cat >expect <<-\EOF &&
U
61092E85B7227189
Eris Discordia <discord@example.net>
EOF
git log -1 --format="%G?%n%GK%n%GS" eighth-signed-alt >actual &&
test_cmp expect actual
'
test_expect_success GPG 'show unknown signature with custom format' '
cat >expect <<-\EOF &&
E
61092E85B7227189
EOF
GNUPGHOME="$GNUPGHOME_NOT_USED" git log -1 --format="%G?%n%GK%n%GS" eighth-signed-alt >actual &&
test_cmp expect actual
'
test_expect_success GPG 'show lack of signature with custom format' '
cat >expect <<-\EOF &&
N
EOF
git log -1 --format="%G?%n%GK%n%GS" seventh-unsigned >actual &&
test_cmp expect actual
'
test_expect_success GPG 'log.showsignature behaves like --show-signature' '
test_config log.showsignature true &&
git show initial >actual &&
grep "gpg: Signature made" actual &&
grep "gpg: Good signature" actual
'
test_done
|
debug log:
solving 848a823302 ...
found 848a823302 in https://public-inbox.org/git/20180409204129.43537-9-mastahyeti@gmail.com/
found 762135adea in https://80x24.org/mirrors/git.git
preparing index
index prepared:
100755 762135adea6d4e8594a077f1b52dcb50d49adc4e t/t7510-signed-commit.sh
applying [1/1] https://public-inbox.org/git/20180409204129.43537-9-mastahyeti@gmail.com/
diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
index 762135adea..848a823302 100755
Checking patch t/t7510-signed-commit.sh...
Applied patch t/t7510-signed-commit.sh cleanly.
index at:
100755 848a8233025c8192a0ad9726519742aee4603f42 t/t7510-signed-commit.sh
(*) Git path names are given by the tree(s) the blob belongs to.
Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).