[PATCH v3 0/7] X509 (gpgsm) commit signing support

[PATCH v3 0/7] X509 (gpgsm) commit signing support

[Henning Schild]

Changes in v3:
 - drop patches 1 and 2 known from < v3, see pu hs/push-cert-check-cleanup
 - dropped some testcases from p6, added two t7004 bad key/sig
 - ship a binary x509 certificate for tests, no generation anymore
 - silence gpgsm in tests
 - switch all tests to use test_config instead of "git config"
 - p4 deal with invalid input
 - p3 several refactorings, see "PATCH v2 5/9" discussion

Changes in v2:
 - removed trailing commas in array initializers and add leading space
 - replaced assert(0) with BUG in p5
 - consolidated 2 format lookups reusing get_format_data p5
 - changed from format "PGP" to "openpgp", later X509 to "x509"
 - use strcasecmp instead of strcmp for format matching
 - introduce gpg.<format>.program in p8, no gpg.programX509 anymore
 - moved t/7510 patch inbetween the two patches changing validation code
 - changed t/7510 patch to use test_config and test_must_fail

This series adds support for signing commits with gpgsm.

The first 5 patches prepare for the introduction of the actual feature in
patch 6.
Finally patch 7 extends the testsuite to cover the new feature.

This series can be seen as a follow up of a series that appeared under
the name "gpg-interface: Multiple signing tools" in april 2018 [1]. After
that series was not merged i decided to get my patches ready. The
original series aimed at being generic for any sort of signing tool, while
this series just introduced the X509 variant of gpg. (gpgsm)
I collected authors and reviewers of that first series and already put them
on cc.

[1] https://public-inbox.org/git/20180409204129.43537-1-mastahyeti@gmail.com/

Henning Schild (7):
  gpg-interface: add new config to select how to sign a commit
  t/t7510: check the validation of the new config gpg.format
  gpg-interface: introduce an abstraction for multiple gpg formats
  gpg-interface: do not hardcode the key string len anymore
  gpg-interface: introduce new config to select per gpg format program
  gpg-interface: introduce new signature format "x509" using gpgsm
  gpg-interface t: extend the existing GPG tests with GPGSM

 Documentation/config.txt   |  10 +++++
 gpg-interface.c            |  95 ++++++++++++++++++++++++++++++++++++---------
 t/lib-gpg.sh               |  28 ++++++++++++-
 t/lib-gpg/gpgsm-gen-key.in |   8 ++++
 t/lib-gpg/gpgsm_cert.p12   | Bin 0 -> 2652 bytes
 t/t4202-log.sh             |  39 +++++++++++++++++++
 t/t5534-push-signed.sh     |  52 +++++++++++++++++++++++++
 t/t7004-tag.sh             |  13 +++++++
 t/t7030-verify-tag.sh      |  33 ++++++++++++++++
 t/t7510-signed-commit.sh   |   9 +++++
 10 files changed, 268 insertions(+), 19 deletions(-)
 create mode 100644 t/lib-gpg/gpgsm-gen-key.in
 create mode 100644 t/lib-gpg/gpgsm_cert.p12

-- 
2.16.4

[PATCH v3 1/7] gpg-interface: add new config to select how to sign a commit

[Henning Schild]

Add "gpg.format" where the user can specify which type of signature to
use for commits. At the moment only "openpgp" is supported and the value is
not even used. This commit prepares for a new types of signatures.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 Documentation/config.txt | 4 ++++
 gpg-interface.c          | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 1cc18a828..ac373e3f4 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1828,6 +1828,10 @@ gpg.program::
 	signed, and the program is expected to send the result to its
 	standard output.
 
+gpg.format::
+	Specifies which key format to use when signing with `--gpg-sign`.
+	Default is "openpgp", that is also the only supported value.
+
 gui.commitMsgWidth::
 	Defines how wide the commit message window is in the
 	linkgit:git-gui[1]. "75" is the default.
diff --git a/gpg-interface.c b/gpg-interface.c
index 09ddfbc26..960c40086 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -7,6 +7,7 @@
 #include "tempfile.h"
 
 static char *configured_signing_key;
+static const char *gpg_format = "openpgp";
 static const char *gpg_program = "gpg";
 
 #define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
@@ -138,6 +139,12 @@ int git_gpg_config(const char *var, const char *value, void *cb)
 		return 0;
 	}
 
+	if (!strcmp(var, "gpg.format")) {
+		if (value && strcasecmp(value, "openpgp"))
+			return error("malformed value for %s: %s", var, value);
+		return git_config_string(&gpg_format, var, value);
+	}
+
 	if (!strcmp(var, "gpg.program")) {
 		if (!value)
 			return config_error_nonbool(var);
-- 
2.16.4

[PATCH v3 2/7] t/t7510: check the validation of the new config gpg.format

[Henning Schild]

Test setting gpg.format to both invalid and valid values.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 t/t7510-signed-commit.sh | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
index 6e2015ed9..1b6a1dd90 100755
--- a/t/t7510-signed-commit.sh
+++ b/t/t7510-signed-commit.sh
@@ -227,4 +227,13 @@ test_expect_success GPG 'log.showsignature behaves like --show-signature' '
 	grep "gpg: Good signature" actual
 '
 
+test_expect_success GPG 'check config gpg.format values' '
+	test_config gpg.format openpgp &&
+	git commit -S --amend -m "success" &&
+	test_config gpg.format OpEnPgP &&
+	git commit -S --amend -m "success" &&
+	test_config gpg.format malformed &&
+	test_must_fail git commit -S --amend -m "fail"
+'
+
 test_done
-- 
2.16.4

[PATCH v3 3/7] gpg-interface: introduce an abstraction for multiple gpg formats

[Henning Schild]

Create a struct that holds the format details for the supported formats.
At the moment that is still just "openpgp". This commit prepares for the
introduction of more formats, that might use other programs and match
other signatures.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 gpg-interface.c | 84 ++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 63 insertions(+), 21 deletions(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 960c40086..699651fd9 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -7,11 +7,46 @@
 #include "tempfile.h"
 
 static char *configured_signing_key;
-static const char *gpg_format = "openpgp";
-static const char *gpg_program = "gpg";
+struct gpg_format {
+	const char *name;
+	const char *program;
+	const char **extra_args_verify;
+	const char **sigs;
+};
+
+static const char *openpgp_verify_args[] = { "--keyid-format=long", NULL };
+static const char *openpgp_sigs[] = {
+	"-----BEGIN PGP SIGNATURE-----",
+	"-----BEGIN PGP MESSAGE-----", NULL };
+
+static struct gpg_format gpg_formats[] = {
+	{ .name = "openpgp", .program = "gpg",
+	  .extra_args_verify = openpgp_verify_args,
+	  .sigs = openpgp_sigs
+	},
+};
+static struct gpg_format *current_format = &gpg_formats[0];
+
+static struct gpg_format *get_format_by_name(const char *str)
+{
+	int i;
+
+	for (i = 0; i < ARRAY_SIZE(gpg_formats); i++)
+		if (!strcasecmp(gpg_formats[i].name, str))
+			return gpg_formats + i;
+	return NULL;
+}
 
-#define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
-#define PGP_MESSAGE "-----BEGIN PGP MESSAGE-----"
+static struct gpg_format *get_format_by_sig(const char *sig)
+{
+	int i, j;
+
+	for (i = 0; i < ARRAY_SIZE(gpg_formats); i++)
+		for (j = 0; gpg_formats[i].sigs[j]; j++)
+			if (starts_with(sig, gpg_formats[i].sigs[j]))
+				return gpg_formats + i;
+	return NULL;
+}
 
 void signature_check_clear(struct signature_check *sigc)
 {
@@ -102,12 +137,6 @@ void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
 		fputs(output, stderr);
 }
 
-static int is_gpg_start(const char *line)
-{
-	return starts_with(line, PGP_SIGNATURE) ||
-		starts_with(line, PGP_MESSAGE);
-}
-
 size_t parse_signature(const char *buf, size_t size)
 {
 	size_t len = 0;
@@ -115,7 +144,7 @@ size_t parse_signature(const char *buf, size_t size)
 	while (len < size) {
 		const char *eol;
 
-		if (is_gpg_start(buf + len))
+		if (get_format_by_sig(buf + len))
 			match = len;
 
 		eol = memchr(buf + len, '\n', size - len);
@@ -132,6 +161,9 @@ void set_signing_key(const char *key)
 
 int git_gpg_config(const char *var, const char *value, void *cb)
 {
+	struct gpg_format *fmt = NULL;
+	char *fmtname = NULL;
+
 	if (!strcmp(var, "user.signingkey")) {
 		if (!value)
 			return config_error_nonbool(var);
@@ -140,18 +172,23 @@ int git_gpg_config(const char *var, const char *value, void *cb)
 	}
 
 	if (!strcmp(var, "gpg.format")) {
-		if (value && strcasecmp(value, "openpgp"))
-			return error("malformed value for %s: %s", var, value);
-		return git_config_string(&gpg_format, var, value);
-	}
-
-	if (!strcmp(var, "gpg.program")) {
 		if (!value)
 			return config_error_nonbool(var);
-		gpg_program = xstrdup(value);
+		fmt = get_format_by_name(value);
+		if (!fmt)
+			return error("malformed value for %s: %s", var, value);
+		current_format = fmt;
 		return 0;
 	}
 
+	if (!strcmp(var, "gpg.program"))
+		fmtname = "openpgp";
+
+	if (fmtname) {
+		fmt = get_format_by_name(fmtname);
+		return git_config_string(&fmt->program, var, value);
+	}
+
 	return 0;
 }
 
@@ -170,7 +207,7 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig
 	struct strbuf gpg_status = STRBUF_INIT;
 
 	argv_array_pushl(&gpg.args,
-			 gpg_program,
+			 current_format->program,
 			 "--status-fd=2",
 			 "-bsau", signing_key,
 			 NULL);
@@ -208,6 +245,7 @@ int verify_signed_buffer(const char *payload, size_t payload_size,
 			 struct strbuf *gpg_output, struct strbuf *gpg_status)
 {
 	struct child_process gpg = CHILD_PROCESS_INIT;
+	struct gpg_format *fmt;
 	struct tempfile *temp;
 	int ret;
 	struct strbuf buf = STRBUF_INIT;
@@ -223,10 +261,14 @@ int verify_signed_buffer(const char *payload, size_t payload_size,
 		return -1;
 	}
 
+	fmt = get_format_by_sig(signature);
+	if (!fmt)
+		BUG("bad signature '%s'", signature);
+
+	argv_array_push(&gpg.args, fmt->program);
+	argv_array_pushv(&gpg.args, fmt->extra_args_verify);
 	argv_array_pushl(&gpg.args,
-			 gpg_program,
 			 "--status-fd=1",
-			 "--keyid-format=long",
 			 "--verify", temp->filename.buf, "-",
 			 NULL);
 
-- 
2.16.4

[PATCH v3 4/7] gpg-interface: do not hardcode the key string len anymore

[Henning Schild]

gnupg does print the keyid followed by a space and the signer comes
next. The same pattern is also used in gpgsm, but there the key length
would be 40 instead of 16. Instead of hardcoding the expected length,
find the first space and calculate it.
Input that does not match the expected format will be ignored now,
before we jumped to found+17 which might have been behind the end of an
unexpected string.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 gpg-interface.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 699651fd9..93bd0fb32 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -89,10 +89,11 @@ static void parse_gpg_output(struct signature_check *sigc)
 		sigc->result = sigcheck_gpg_status[i].result;
 		/* The trust messages are not followed by key/signer information */
 		if (sigc->result != 'U') {
-			sigc->key = xmemdupz(found, 16);
+			next = strchrnul(found, ' ');
+			sigc->key = xmemdupz(found, next - found);
 			/* The ERRSIG message is not followed by signer information */
-			if (sigc-> result != 'E') {
-				found += 17;
+			if (*next && sigc-> result != 'E') {
+				found = next + 1;
 				next = strchrnul(found, '\n');
 				sigc->signer = xmemdupz(found, next - found);
 			}
-- 
2.16.4

[PATCH v3 5/7] gpg-interface: introduce new config to select per gpg format program

[Henning Schild]

Supporting multiple signing formats we will have the need to configure a
custom program each. Add a new config value to cater for that.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 Documentation/config.txt | 5 +++++
 gpg-interface.c          | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index ac373e3f4..c0bd80954 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1832,6 +1832,11 @@ gpg.format::
 	Specifies which key format to use when signing with `--gpg-sign`.
 	Default is "openpgp", that is also the only supported value.
 
+gpg.<format>.program::
+	Use this to customize the program used for the signing format you
+	chose. (see gpg.program) gpg.openpgp.program is a synonym for the
+	legacy gpg.program.
+
 gui.commitMsgWidth::
 	Defines how wide the commit message window is in the
 	linkgit:git-gui[1]. "75" is the default.
diff --git a/gpg-interface.c b/gpg-interface.c
index 93bd0fb32..f3c22b551 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -182,7 +182,7 @@ int git_gpg_config(const char *var, const char *value, void *cb)
 		return 0;
 	}
 
-	if (!strcmp(var, "gpg.program"))
+	if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
 		fmtname = "openpgp";
 
 	if (fmtname) {
-- 
2.16.4

[PATCH v3 6/7] gpg-interface: introduce new signature format "x509" using gpgsm

[Henning Schild]

This commit allows git to create and check x509 type signatures using
gpgsm.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 Documentation/config.txt | 5 +++--
 gpg-interface.c          | 9 +++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index c0bd80954..7cfce4dc8 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1830,12 +1830,13 @@ gpg.program::
 
 gpg.format::
 	Specifies which key format to use when signing with `--gpg-sign`.
-	Default is "openpgp", that is also the only supported value.
+	Default is "openpgp" and another possible value is "x509".
 
 gpg.<format>.program::
 	Use this to customize the program used for the signing format you
 	chose. (see gpg.program) gpg.openpgp.program is a synonym for the
-	legacy gpg.program.
+	legacy gpg.program, while the default gpg.x509.program is "gpgsm".
+
 
 gui.commitMsgWidth::
 	Defines how wide the commit message window is in the
diff --git a/gpg-interface.c b/gpg-interface.c
index f3c22b551..62a9acf68 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -18,12 +18,18 @@ static const char *openpgp_verify_args[] = { "--keyid-format=long", NULL };
 static const char *openpgp_sigs[] = {
 	"-----BEGIN PGP SIGNATURE-----",
 	"-----BEGIN PGP MESSAGE-----", NULL };
+static const char *x509_verify_args[] = { NULL };
+static const char *x509_sigs[] = { "-----BEGIN SIGNED MESSAGE-----", NULL };
 
 static struct gpg_format gpg_formats[] = {
 	{ .name = "openpgp", .program = "gpg",
 	  .extra_args_verify = openpgp_verify_args,
 	  .sigs = openpgp_sigs
 	},
+	{ .name = "x509", .program = "gpgsm",
+	  .extra_args_verify = x509_verify_args,
+	  .sigs = x509_sigs
+	},
 };
 static struct gpg_format *current_format = &gpg_formats[0];
 
@@ -185,6 +191,9 @@ int git_gpg_config(const char *var, const char *value, void *cb)
 	if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
 		fmtname = "openpgp";
 
+	if (!strcmp(var, "gpg.x509.program"))
+		fmtname = "x509";
+
 	if (fmtname) {
 		fmt = get_format_by_name(fmtname);
 		return git_config_string(&fmt->program, var, value);
-- 
2.16.4

[PATCH v3 7/7] gpg-interface t: extend the existing GPG tests with GPGSM

[Henning Schild]

Add test cases to cover the new X509/gpgsm support. Most of them
resemble existing ones. They just switch the format to x509 and set the
signingkey when creating signatures. Validation of signatures does not
need any configuration of git, it does need gpgsm to be configured to
trust the key(-chain).
Several of the testcases build on top of existing gpg testcases.
The commit ships a self-signed key for committer@example.com and
configures gpgsm to trust it.

Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 t/lib-gpg.sh               |  28 +++++++++++++++++++++++-
 t/lib-gpg/gpgsm-gen-key.in |   8 +++++++
 t/lib-gpg/gpgsm_cert.p12   | Bin 0 -> 2652 bytes
 t/t4202-log.sh             |  39 ++++++++++++++++++++++++++++++++++
 t/t5534-push-signed.sh     |  52 +++++++++++++++++++++++++++++++++++++++++++++
 t/t7004-tag.sh             |  13 ++++++++++++
 t/t7030-verify-tag.sh      |  33 ++++++++++++++++++++++++++++
 7 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 t/lib-gpg/gpgsm-gen-key.in
 create mode 100644 t/lib-gpg/gpgsm_cert.p12

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index a5d3b2cba..3fe02876c 100755
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -38,7 +38,33 @@ then
 			"$TEST_DIRECTORY"/lib-gpg/ownertrust &&
 		gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null 2>&1 \
 			--sign -u committer@example.com &&
-		test_set_prereq GPG
+		test_set_prereq GPG &&
+		# Available key info:
+		# * see t/lib-gpg/gpgsm-gen-key.in
+		# To generate new certificate:
+		#  * no passphrase
+		#	gpgsm --homedir /tmp/gpghome/ \
+		#		-o /tmp/gpgsm.crt.user \
+		#		--generate-key \
+		#		--batch t/lib-gpg/gpgsm-gen-key.in
+		# To import certificate:
+		#	gpgsm --homedir /tmp/gpghome/ \
+		#		--import /tmp/gpgsm.crt.user
+		# To export into a .p12 we can later import:
+		#	gpgsm --homedir /tmp/gpghome/ \
+		#		-o t/lib-gpg/gpgsm_cert.p12 \
+		#		--export-secret-key-p12 "committer@example.com"
+		echo | gpgsm --homedir "${GNUPGHOME}" 2>/dev/null \
+			--passphrase-fd 0 --pinentry-mode loopback \
+			--import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 &&
+		gpgsm --homedir "${GNUPGHOME}" 2>/dev/null -K \
+			| grep fingerprint: | cut -d" " -f4 | tr -d '\n' > \
+			${GNUPGHOME}/trustlist.txt &&
+		echo " S relax" >> ${GNUPGHOME}/trustlist.txt &&
+		(gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) &&
+		echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \
+			-u committer@example.com -o /dev/null --sign - 2>&1 &&
+		test_set_prereq GPGSM
 		;;
 	esac
 fi
diff --git a/t/lib-gpg/gpgsm-gen-key.in b/t/lib-gpg/gpgsm-gen-key.in
new file mode 100644
index 000000000..a7fd87c06
--- /dev/null
+++ b/t/lib-gpg/gpgsm-gen-key.in
@@ -0,0 +1,8 @@
+Key-Type: RSA
+Key-Length: 2048
+Key-Usage: sign
+Serial: random
+Name-DN: CN=C O Mitter, O=Example, SN=C O, GN=Mitter
+Name-Email: committer@example.com
+Not-Before: 1970-01-01 00:00:00
+Not-After: 3000-01-01 00:00:00
diff --git a/t/lib-gpg/gpgsm_cert.p12 b/t/lib-gpg/gpgsm_cert.p12
new file mode 100644
index 0000000000000000000000000000000000000000..94ffad0d31a3b6c4e849b29d960762e485ba7ea8
GIT binary patch
literal 2652
zcmY+Ec{mh|8pQ{*m?2^;S+ivrVaAfiQnHSnA|b+zofwQYAI3haA=!75ZX!!|$-Y*$
zWS5XVvW}3h?sM<`?)~F^&U?;zp7ZAqMS|U-rJ+NSVEkYxG8!9AJx2qf$s@s-fg~8i
zSqwpufKGo`;5-uW&RJwiO9MC)gTEUZ6fYR|?*&F0Fp3FCzs?3aZK`58prxe;gpq&(
zm?nam#=;<-Y>ihd?+EMByF}ef4%bKLwbO{e4U=0LG4jP<8x$`N#5#&@0as@!cSSK>
zh}oaTUi^XPMV(3;kKAjFB5Yq)zn_vnExr>`s&?M}i{A>>$j-{u*Jo)riK{fW!LXet
z)hkG3xgvIpDClY8=o4q?_bD%htwXG!_=;NxVjU=3#{TU0Q@=Z<lvT*(k5Ms*ff#-&
z2TqRbeV}33XyuPwvZ-I?sZHaFvamGBC4C2!1f881gBH^>Mc%6wes*Uy&CAPf=JB(a
zb<9VW4e)@R+qGEgfnewABCPf}mtJOYxL>*jtu9yKk?Fu3UWr~zJ#<*I<w-ZK|I*LI
zZ;8rw5`)@*7P)PnF1bA8hxp<r)dua;u5}jN6VsL8hh!>(Ey>fhA6~_gUvg(8n<*TM
zdXo$0jMn2G$GcM484J8MUx*x=@XWq^uvCnI1jp>#Y_2Y<+T_*yX!uTA$vm7Ugs56O
z@!~>Y?E@FA@{5@ZDHD`TkEeHQ{M2n_Slp%By{89uVia3%>w?IZdvBBX$K*3UzCM7`
zxGZ-dbh^KlF#?RZaS4_^R|%@F5xX0j)vdE&#M1Ch^W+WzQjVH^m|vu9jE@aRtlbcP
z^N<e=%>xHpt!%n59KJ!@-IHzjWw9l;)N}J^LLwLT#Xz!Tq4vWkHTO5#j_1_nvA>#u
zBX5jy&r_5h7PKFH26B<j-};r)Q!~uebz+5*c1Mg6QJ(F}k;)Pa%tHDpyB+C=<T0f@
zfwFZ6@ul;*T2N!H{aNTXl07=zM1?d4W1Mdoev(Ci*EFxl3Kn9{2}%Z4G?!nQiB0g~
zK!#@?oC9CCQGKFoVAa_6+`A{@B5hpW5W9}S5wbSPpAH!LbwNDTkuW=uJj2PG5rxVP
zOCm<+$);+++TyYtcm)5^Bh?n-7yi!ZN#Cz1QN$-pc#5NOa7XPAMXEeas&`7eOn?i*
z`I~LT4t9a!(9AVh`MH;Y67Sxsw6oB&EpdFg^!Wggy4jDhAn44Q^XU0%RWlJGQ^(`*
zNds|sQ@XQ+C*v4Z0aEU6d{m?%#@>8-1BMryQYu8HiW#k_Nq!qB4-5#YH|RDUL_&Ug
z+Y4DwCgmPTpSqu5lU#dxgcf>N8-aXsM}TDNd_~tW$92abZG)0q=Xzr)t;M39D`u~9
zdbi)dKxTXdE3OHN@sCmOGfdNEKC*BgS&ku$LNb1M>x6#MZ_37F<5gz)d_&6)%S0zP
z5_lFp_A5n(wMlQ+_2n%!z1tomK+~=DQ9MC|QDxZ1?2?A{(Dqi(*TE;q4g+&HH;vvX
zI%M?`5*^D+i5eC~tth)c%;)Q^n`$=Nt8=_jLdLg)*d^-BKJ2siLCaLDMJwSxfF|uO
zc}bc4oW*xw>!m!o6BG%Q_CG+$BZ1<8Bv8~@9Da5oV21zT1x7=A#-YtK0ImHWb?E+3
z$NK7MLMBq{?jPy^Nx&Yxu7#tyt@t3@=F07Bf;BHh5A|9FYRL9bIo$1a44s9^Wk41>
zq-0_p!?=F1wYc$wC8sgycQ~IHO0x4@BODYL?(uFu5qaXSm+YP$_!_RrSrzJ#*f(fy
zF)|i|!Ac}}R(rT~U3@SDll^wcX#c1XS5VcvP3@>e?Qfbr5MU*ox<E&+__5!tZR3)5
zgK#+MtH30K<aigPK3I)-o1VspNklu-;b#OuvTW7P`E0*iRGje(=vIgGIK+a12|DRj
zfC{mBlKTVfl0mvi2CwE6^<p}QRoY2?Gq0v*@Ew|@PzC!4y26O^I^!1>y@`fDnT0wr
zw!P*fjd#ErDfYvcz210jWuOc?HIcQE!NG<w`@a6Z=I{{~h6%^La$;>$>ZY5Qu3~pF
z|FQ2yc>7;Y5xC)^=~dQ}KtYR4*&rVa1DmU#%D2UhSl&nsVlEYKn?mrFq8i;s)M4>G
z4;6*=?}rOkcdcDRaf<>E0U#CGt3E0T>H?%&l4K?}KWWdEY9T@1e#=y%n#{&;nJFED
zBsOEs9+}{*EbQQ(!m^<q3U{D4tRpf$#VcmEKg;z4Ra)@4jna!9H%oKlO|x#sXvzQe
z*vV|Gg1MBxCfjLJP*p(~7HWGeV{EUa6&oNlsGd_pNi^M~sGf_a{Ur6qxWq!OXCcF>
z+dYSTfqtiD?X&)@FqTX~m6?3L?tY*9;5BW226VPX+9op7qeeHfpjs}=?&h@GRCCd@
z&h^*W0M;K21!e@=8*%ZH?2o$A`Zq+PIfeOX!~-sSbVb~2g#60Z>?)Oyn5oPKq`BHq
z`~$#(bI&)uDgU7H&mS6iGL956F*bgsukzPoWrMXT(`r7P+s2ko%&VRpliG!Jo{7?}
z!tynAjw*)`T!(JD2<#co`t}vIgGVQH>jj+<lN#PsBUY1^*HL&GBQ3DX@W&J$mbD&8
zO2<?O%%qCYJpAGs0qBqM%x_hXt>^5%f|VBU(NJc0ZC5!CG-MLweP2q)96vc#dbiR3
zF+XSQ1x@jSwy&aL9(N0O{DYng^x^cb=~p@DYoE?yxUBp-THVPLpA(9Ra0&9ym-^L%
zhCQR`rL^4;vnbkrFspSSO?-`-WPju-6x)QWQ|(#C=P{1o;;duD7@nlHC_ut{hb2sg
zv+qeIg!>GP2aP1wtrcgD{Cs2XPc&xTbQHet!LYBJBSWLzl`>2e5_uKD7X~n0Y`-xM
zDeIHEns4J&=JW#V%Q(+^Lyo^~CaXzLIAja$+W19T?_SGvr$XHY>PJhcKWD(yYhr2f
zuKfh_v-BO^a)hB5BVL(UVQkSh-I~z$?rUqy-Vu@G>NMGN?h_Mb>|uGv_u>*ARI%-?
zoOK~Ngifc+#%cv9>CKeu+e3ne_$`6)B5+|`&uK6m!!n<`r0%jOZZ<aI-RsYh=!?eW
zHPO<?)H9C@$qo_6fimc<BgQ9QETCl(5>w%`()rP>%$po??KNxfLz&E$-4+w7_Nx&2
z`AkPchqf!cr7A&%vX6pmCm^C^gK^CXkFgwWIN`hbhu<a@kKJITk{QB~MV4=u@0EMz
zcHzUc+t<F?$;hsB|HdC^l+}Na4$?KQ*iQLy9`^vFv}^q^DP=d?h#CC=W%ge>LfOz*
zel37D;68u|Fg{ZOfCC@^;05pmcmsUTe*9U2JJUbT1>ksgIDp;18i6xs2ao~Co+%!1
z1t5<S{(F`k%>iUPd}lxBq5^&zj`N46L%Rcygnv1p&?rF^6bzDJqNC*o0f21jBIX5I
g0antNnlKhoxNVUlcvb_D9`D2<lq)wC^9R2F1d`soXaE2J

literal 0
HcmV?d00001

diff --git a/t/t4202-log.sh b/t/t4202-log.sh
index 25b1f8cc7..f57781e39 100755
--- a/t/t4202-log.sh
+++ b/t/t4202-log.sh
@@ -1556,12 +1556,28 @@ test_expect_success GPG 'setup signed branch' '
 	git commit -S -m signed_commit
 '
 
+test_expect_success GPGSM 'setup signed branch x509' '
+	test_when_finished "git reset --hard && git checkout master" &&
+	git checkout -b signed-x509 master &&
+	echo foo >foo &&
+	git add foo &&
+	test_config gpg.format x509 &&
+	test_config user.signingkey $GIT_COMMITTER_EMAIL &&
+	git commit -S -m signed_commit
+'
+
 test_expect_success GPG 'log --graph --show-signature' '
 	git log --graph --show-signature -n1 signed >actual &&
 	grep "^| gpg: Signature made" actual &&
 	grep "^| gpg: Good signature" actual
 '
 
+test_expect_success GPGSM 'log --graph --show-signature x509' '
+	git log --graph --show-signature -n1 signed-x509 >actual &&
+	grep "^| gpgsm: Signature made" actual &&
+	grep "^| gpgsm: Good signature" actual
+'
+
 test_expect_success GPG 'log --graph --show-signature for merged tag' '
 	test_when_finished "git reset --hard && git checkout master" &&
 	git checkout -b plain master &&
@@ -1581,6 +1597,29 @@ test_expect_success GPG 'log --graph --show-signature for merged tag' '
 	grep "^| | gpg: Good signature" actual
 '
 
+test_expect_success GPGSM 'log --graph --show-signature for merged tag x509' '
+	test_when_finished "git reset --hard && git checkout master" &&
+	test_config gpg.format x509 &&
+	test_config user.signingkey $GIT_COMMITTER_EMAIL &&
+	git checkout -b plain-x509 master &&
+	echo aaa >bar &&
+	git add bar &&
+	git commit -m bar_commit &&
+	git checkout -b tagged-x509 master &&
+	echo bbb >baz &&
+	git add baz &&
+	git commit -m baz_commit &&
+	git tag -s -m signed_tag_msg signed_tag_x509 &&
+	git checkout plain-x509 &&
+	git merge --no-ff -m msg signed_tag_x509 &&
+	git log --graph --show-signature -n1 plain-x509 >actual &&
+	grep "^|\\\  merged tag" actual &&
+	grep "^| | gpgsm: Signature made" actual &&
+	grep "^| | gpgsm: Good signature" actual &&
+	git config --unset gpg.format &&
+	git config --unset user.signingkey
+'
+
 test_expect_success GPG '--no-show-signature overrides --show-signature' '
 	git log -1 --show-signature --no-show-signature signed >actual &&
 	! grep "^gpg:" actual
diff --git a/t/t5534-push-signed.sh b/t/t5534-push-signed.sh
index 1cea758f7..a3a12bd05 100755
--- a/t/t5534-push-signed.sh
+++ b/t/t5534-push-signed.sh
@@ -218,4 +218,56 @@ test_expect_success GPG 'fail without key and heed user.signingkey' '
 	test_cmp expect dst/push-cert-status
 '
 
+test_expect_success GPGSM 'fail without key and heed user.signingkey x509' '
+	test_config gpg.format x509 &&
+	env | grep GIT > envfile &&
+	prepare_dst &&
+	mkdir -p dst/.git/hooks &&
+	git -C dst config receive.certnonceseed sekrit &&
+	write_script dst/.git/hooks/post-receive <<-\EOF &&
+	# discard the update list
+	cat >/dev/null
+	# record the push certificate
+	if test -n "${GIT_PUSH_CERT-}"
+	then
+		git cat-file blob $GIT_PUSH_CERT >../push-cert
+	fi &&
+
+	cat >../push-cert-status <<E_O_F
+	SIGNER=${GIT_PUSH_CERT_SIGNER-nobody}
+	KEY=${GIT_PUSH_CERT_KEY-nokey}
+	STATUS=${GIT_PUSH_CERT_STATUS-nostatus}
+	NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus}
+	NONCE=${GIT_PUSH_CERT_NONCE-nononce}
+	E_O_F
+
+	EOF
+	unset GIT_COMMITTER_EMAIL &&
+	git config user.email hasnokey@nowhere.com &&
+	git config user.signingkey "" &&
+	test_must_fail git push --signed dst noop ff +noff &&
+	git config user.signingkey committer@example.com &&
+	git push --signed dst noop ff +noff &&
+
+	(
+		cat <<-\EOF &&
+		SIGNER=/CN=C O Mitter/O=Example/SN=C O/GN=Mitter
+		KEY=
+		STATUS=G
+		NONCE_STATUS=OK
+		EOF
+		sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" dst/push-cert
+	) >expect.in &&
+	key=$(cat "${GNUPGHOME}/trustlist.txt" | cut -d" " -f1 | tr -d ":") &&
+	sed -e "s/^KEY=/KEY=${key}/" expect.in > expect &&
+
+	noop=$(git rev-parse noop) &&
+	ff=$(git rev-parse ff) &&
+	noff=$(git rev-parse noff) &&
+	grep "$noop $ff refs/heads/ff" dst/push-cert &&
+	grep "$noop $noff refs/heads/noff" dst/push-cert &&
+	test_cmp expect dst/push-cert-status
+'
+
+
 test_done
diff --git a/t/t7004-tag.sh b/t/t7004-tag.sh
index d7b319e91..2147938aa 100755
--- a/t/t7004-tag.sh
+++ b/t/t7004-tag.sh
@@ -1354,6 +1354,19 @@ test_expect_success GPG \
 	'test_config gpg.program echo &&
 	 test_must_fail git tag -s -m tail tag-gpg-failure'
 
+# try to sign with bad user.signingkey
+test_expect_success GPGSM \
+	'git tag -s fails if gpgsm is misconfigured (bad key)' \
+	'test_config user.signingkey BobTheMouse &&
+	 test_config gpg.format x509 &&
+	 test_must_fail git tag -s -m tail tag-gpg-failure'
+
+# try to produce invalid signature
+test_expect_success GPGSM \
+	'git tag -s fails if gpgsm is misconfigured (bad signature format)' \
+	'test_config gpg.x509.program echo &&
+	 test_config gpg.format x509 &&
+	 test_must_fail git tag -s -m tail tag-gpg-failure'
 
 # try to verify without gpg:
 
diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh
index 291a1e2b0..db6295d65 100755
--- a/t/t7030-verify-tag.sh
+++ b/t/t7030-verify-tag.sh
@@ -41,6 +41,13 @@ test_expect_success GPG 'create signed tags' '
 	git tag -uB7227189 -m eighth eighth-signed-alt
 '
 
+test_expect_success GPGSM 'create signed tags x509 ' '
+	test_config gpg.format x509 &&
+	test_config user.signingkey $GIT_COMMITTER_EMAIL &&
+	echo 9 >file && test_tick && git commit -a -m "nineth gpgsm-signed" &&
+	git tag -s -m nineth nineth-signed-x509
+'
+
 test_expect_success GPG 'verify and show signatures' '
 	(
 		for tag in initial second merge fourth-signed sixth-signed seventh-signed
@@ -72,6 +79,13 @@ test_expect_success GPG 'verify and show signatures' '
 	)
 '
 
+test_expect_success GPGSM 'verify and show signatures x509' '
+	git verify-tag nineth-signed-x509 2>actual &&
+	grep "Good signature from" actual &&
+	! grep "BAD signature from" actual &&
+	echo nineth-signed-x509 OK
+'
+
 test_expect_success GPG 'detect fudged signature' '
 	git cat-file tag seventh-signed >raw &&
 	sed -e "/^tag / s/seventh/7th forged/" raw >forged1 &&
@@ -112,6 +126,12 @@ test_expect_success GPG 'verify signatures with --raw' '
 	)
 '
 
+test_expect_success GPGSM 'verify signatures with --raw x509' '
+	git verify-tag --raw nineth-signed-x509 2>actual &&
+	grep "GOODSIG" actual &&
+	! grep "BADSIG" actual &&
+	echo nineth-signed-x509 OK
+'
 test_expect_success GPG 'verify multiple tags' '
 	tags="fourth-signed sixth-signed seventh-signed" &&
 	for i in $tags
@@ -125,6 +145,19 @@ test_expect_success GPG 'verify multiple tags' '
 	test_cmp expect.stderr actual.stderr
 '
 
+test_expect_success GPGSM 'verify multiple tags x509' '
+	tags="seventh-signed nineth-signed-x509" &&
+	for i in $tags
+	do
+		git verify-tag -v --raw $i || return 1
+	done >expect.stdout 2>expect.stderr.1 &&
+	grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
+	git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
+	grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
+	test_cmp expect.stdout actual.stdout &&
+	test_cmp expect.stderr actual.stderr
+'
+
 test_expect_success GPG 'verifying tag with --format' '
 	cat >expect <<-\EOF &&
 	tagname : fourth-signed
-- 
2.16.4

Re: [PATCH v3 1/7] gpg-interface: add new config to select how to sign a commit

[Junio C Hamano]

Henning Schild <henning.schild@siemens.com> writes:

> Add "gpg.format" where the user can specify which type of signature to
> use for commits. At the moment only "openpgp" is supported and the value is
> not even used. This commit prepares for a new types of signatures.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  Documentation/config.txt | 4 ++++
>  gpg-interface.c          | 7 +++++++
>  2 files changed, 11 insertions(+)
>
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index 1cc18a828..ac373e3f4 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -1828,6 +1828,10 @@ gpg.program::
>  	signed, and the program is expected to send the result to its
>  	standard output.
>  
> +gpg.format::
> +	Specifies which key format to use when signing with `--gpg-sign`.
> +	Default is "openpgp", that is also the only supported value.
> +
>  gui.commitMsgWidth::
>  	Defines how wide the commit message window is in the
>  	linkgit:git-gui[1]. "75" is the default.
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 09ddfbc26..960c40086 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -7,6 +7,7 @@
>  #include "tempfile.h"
>  
>  static char *configured_signing_key;
> +static const char *gpg_format = "openpgp";
>  static const char *gpg_program = "gpg";
>  
>  #define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
> @@ -138,6 +139,12 @@ int git_gpg_config(const char *var, const char *value, void *cb)
>  		return 0;
>  	}
>  
> +	if (!strcmp(var, "gpg.format")) {
> +		if (value && strcasecmp(value, "openpgp"))
> +			return error("malformed value for %s: %s", var, value);
> +		return git_config_string(&gpg_format, var, value);

I may be mistaken (sorry, I read so many topics X-<) but I think the
consensus was to accept only "openpgp" so that we can ensure that

	[gpg "openpgp"] program = foo

etc. can be parsed more naturally without having to manually special
case the subsection name to be case insensitive.  In other words,
strcasecmp() should just be strcmp().  Otherwise, people would get a
wrong expectation that

	[gpg] format = OpenPGP
	[gpg "openpgp"] program = foo

should refer to the same and single OpenPGP, but that would violate
the usual configuration syntax rules.

The structure of checking the error looks quite suboptimal even when
we initially support the single "openpgp" at this step.  I would
have expected you to be writing the above like so:

	if (!value)
		return config_error_nonbool(var);
	if (strcmp(value, "openpgp"))
		return error("unsupported value for %s: %s", var, value);
	return git_config_string(...);

That would make it more clear that the variable is "nonbool", which
does not change across additional support for new formats in later
steps.

> +	}
> +
>  	if (!strcmp(var, "gpg.program")) {
>  		if (!value)
>  			return config_error_nonbool(var);

Re: [PATCH v3 2/7] t/t7510: check the validation of the new config gpg.format

[Junio C Hamano]

Henning Schild <henning.schild@siemens.com> writes:

> Test setting gpg.format to both invalid and valid values.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  t/t7510-signed-commit.sh | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
> index 6e2015ed9..1b6a1dd90 100755
> --- a/t/t7510-signed-commit.sh
> +++ b/t/t7510-signed-commit.sh
> @@ -227,4 +227,13 @@ test_expect_success GPG 'log.showsignature behaves like --show-signature' '
>  	grep "gpg: Good signature" actual
>  '
>  
> +test_expect_success GPG 'check config gpg.format values' '
> +	test_config gpg.format openpgp &&
> +	git commit -S --amend -m "success" &&
> +	test_config gpg.format OpEnPgP &&
> +	git commit -S --amend -m "success" &&
> +	test_config gpg.format malformed &&
> +	test_must_fail git commit -S --amend -m "fail"
> +'
> +
>  test_done

Since we'd be doing case-sensitive value for gpg.format, this would
have to change in a later iteration, I guess.

Re: [PATCH v3 3/7] gpg-interface: introduce an abstraction for multiple gpg formats

[Junio C Hamano]

Henning Schild <henning.schild@siemens.com> writes:

> Create a struct that holds the format details for the supported formats.
> At the moment that is still just "openpgp". This commit prepares for the
> introduction of more formats, that might use other programs and match
> other signatures.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  gpg-interface.c | 84 ++++++++++++++++++++++++++++++++++++++++++---------------
>  1 file changed, 63 insertions(+), 21 deletions(-)
>
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 960c40086..699651fd9 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -7,11 +7,46 @@
>  #include "tempfile.h"
>  
>  static char *configured_signing_key;
> -static const char *gpg_format = "openpgp";
> -static const char *gpg_program = "gpg";
> +struct gpg_format {
> +	const char *name;
> +	const char *program;
> +	const char **extra_args_verify;
> +	const char **sigs;
> +};
> +
> +static const char *openpgp_verify_args[] = { "--keyid-format=long", NULL };

Let's write it like this, even if the current line is short enough:

static const char *openpgp_verify_args[] = {
	"--keyid-format=long",
	NULL
};

Ditto for the next one.  Even if you do not expect these two arrays
to get longer, people tend to copy & paste to imitate existing code
when making new things, and we definitely would not want them to be
doing so on a code like the above (or below).  When they need to add
new elements to their arrays, having the terminating NULL on its own
line means they will have to see less patch noise.

> +static const char *openpgp_sigs[] = {
> +	"-----BEGIN PGP SIGNATURE-----",
> +	"-----BEGIN PGP MESSAGE-----", NULL };
> +
> +static struct gpg_format gpg_formats[] = {
> +	{ .name = "openpgp", .program = "gpg",
> +	  .extra_args_verify = openpgp_verify_args,

If the underlying aray is "verify_args" (not "extra"), perhaps the
field name should also be .verify_args to match.

Giving an array of things a name "things[]" is a disease, unless the
array is very often passed around as a whole to represent the
collection of everything.  When the array is mostly accessed one
element at a time, being able to say thing[3] to mean the third
thing is much more pleasant.

So, from that point of view, I pretty much agree with
openpgp_verify_args[] and openpgp_sigs[], but am against
gpg_formats[].  The last one should be gpg_format[], for which we
happen to have only one variant right now.

> +	  .sigs = openpgp_sigs
> +	},
> +};
> +static struct gpg_format *current_format = &gpg_formats[0];

Have a blank line before the above one.

What does "current_format" mean?  Is it different from "format to be
used"?  As we will overwrite the variable upon reading the config,
we cannot afford to call it default_format, but somehow "current"
feels misleading, at least to me.  I expected to find "old format"
elsewhere and there may be some format conversion or something from
the variable name.

    static struct gpg_format *use_format = &gpg_format[0];

perhaps?

> +
> +static struct gpg_format *get_format_by_name(const char *str)
> +{
> +	int i;
> +
> +	for (i = 0; i < ARRAY_SIZE(gpg_formats); i++)
> +		if (!strcasecmp(gpg_formats[i].name, str))

As [1/7], this would become strcmp(), I presume?

> +			return gpg_formats + i;
> +	return NULL;
> +}
>  
> -#define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
> -#define PGP_MESSAGE "-----BEGIN PGP MESSAGE-----"
> +static struct gpg_format *get_format_by_sig(const char *sig)
> +{
> +	int i, j;
> +
> +	for (i = 0; i < ARRAY_SIZE(gpg_formats); i++)
> +		for (j = 0; gpg_formats[i].sigs[j]; j++)
> +			if (starts_with(sig, gpg_formats[i].sigs[j]))
> +				return gpg_formats + i;
> +	return NULL;
> +}

OK.

> @@ -140,18 +172,23 @@ int git_gpg_config(const char *var, const char *value, void *cb)
>  	}
>  
>  	if (!strcmp(var, "gpg.format")) {
> -		if (value && strcasecmp(value, "openpgp"))
> -			return error("malformed value for %s: %s", var, value);
> -		return git_config_string(&gpg_format, var, value);
> -	}
> -
> -	if (!strcmp(var, "gpg.program")) {
>  		if (!value)
>  			return config_error_nonbool(var);
> -		gpg_program = xstrdup(value);
> +		fmt = get_format_by_name(value);
> +		if (!fmt)
> +			return error("malformed value for %s: %s", var, value);

If I say "opongpg", that probably is not "malformed" (it is all
lowercase ascii alphabet that is very plausible-looking string), but
simply "bad value".

But other than the minor nit, yes, this structure is what I expected
to see from the very first step 1/7.

> +		current_format = fmt;
>  		return 0;
>  	}

>  
> +	if (!strcmp(var, "gpg.program"))
> +		fmtname = "openpgp";

OK, this is a backward compatibility measure to treat gpg.program as
if it were gpg.openpgp.program, which makes sense.

> +	if (fmtname) {
> +		fmt = get_format_by_name(fmtname);
> +		return git_config_string(&fmt->program, var, value);
> +	}
> +
>  	return 0;
>  }

Re: [PATCH v3 4/7] gpg-interface: do not hardcode the key string len anymore

[Junio C Hamano]

Henning Schild <henning.schild@siemens.com> writes:

> gnupg does print the keyid followed by a space and the signer comes
> next. The same pattern is also used in gpgsm, but there the key length
> would be 40 instead of 16. Instead of hardcoding the expected length,
> find the first space and calculate it.
> Input that does not match the expected format will be ignored now,
> before we jumped to found+17 which might have been behind the end of an
> unexpected string.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  gpg-interface.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

Very nice.


> diff --git a/gpg-interface.c b/gpg-interface.c
> index 699651fd9..93bd0fb32 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -89,10 +89,11 @@ static void parse_gpg_output(struct signature_check *sigc)
>  		sigc->result = sigcheck_gpg_status[i].result;
>  		/* The trust messages are not followed by key/signer information */
>  		if (sigc->result != 'U') {
> -			sigc->key = xmemdupz(found, 16);
> +			next = strchrnul(found, ' ');
> +			sigc->key = xmemdupz(found, next - found);
>  			/* The ERRSIG message is not followed by signer information */
> -			if (sigc-> result != 'E') {
> -				found += 17;
> +			if (*next && sigc-> result != 'E') {
> +				found = next + 1;
>  				next = strchrnul(found, '\n');
>  				sigc->signer = xmemdupz(found, next - found);
>  			}

Re: [PATCH v3 5/7] gpg-interface: introduce new config to select per gpg format program

[Junio C Hamano]

Henning Schild <henning.schild@siemens.com> writes:

> +gpg.<format>.program::
> +	Use this to customize the program used for the signing format you
> +	chose. (see gpg.program) gpg.openpgp.program is a synonym for the
> +	legacy gpg.program.

I _think_ you meant "see gpg.format", but I am not 100% sure.

When X is a synonym for Y, Y is also a synonym for X, so technically
speaking this does not matter, but when we talk about backward
compatibility fallback, I think we say "OLDway is retained as a
legacy synonym for NEWway", i.e. the other way around.

Also, `typeset in tt` what end-users would type literally, like
configuration variable names, i.e.

	Use this to customize the rpogram used for the signing
	format you chose (see `gpg.format`).  `gpg.program` can
	still be used as a legacy synonym for `gpg.openpgp.program`.

>  gui.commitMsgWidth::
>  	Defines how wide the commit message window is in the
>  	linkgit:git-gui[1]. "75" is the default.
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 93bd0fb32..f3c22b551 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -182,7 +182,7 @@ int git_gpg_config(const char *var, const char *value, void *cb)
>  		return 0;
>  	}
>  
> -	if (!strcmp(var, "gpg.program"))
> +	if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
>  		fmtname = "openpgp";
>  
>  	if (fmtname) {

Re: [PATCH v3 1/7] gpg-interface: add new config to select how to sign a commit

[Jeff King]

On Mon, Jul 16, 2018 at 01:14:34PM -0700, Junio C Hamano wrote:

> >  #define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
> > @@ -138,6 +139,12 @@ int git_gpg_config(const char *var, const char *value, void *cb)
> >  		return 0;
> >  	}
> >  
> > +	if (!strcmp(var, "gpg.format")) {
> > +		if (value && strcasecmp(value, "openpgp"))
> > +			return error("malformed value for %s: %s", var, value);
> > +		return git_config_string(&gpg_format, var, value);
> 
> I may be mistaken (sorry, I read so many topics X-<) but I think the
> consensus was to accept only "openpgp" so that we can ensure that
> 
> 	[gpg "openpgp"] program = foo
> 
> etc. can be parsed more naturally without having to manually special
> case the subsection name to be case insensitive.  In other words,
> strcasecmp() should just be strcmp().  Otherwise, people would get a
> wrong expectation that
> 
> 	[gpg] format = OpenPGP
> 	[gpg "openpgp"] program = foo
> 
> should refer to the same and single OpenPGP, but that would violate
> the usual configuration syntax rules.

I was the one who argued the other way. But unless we are going to move
to a two-level config for all of it (i.e., gpg.openPGPProgram), I think
what you suggest here is the sanest way forward.

> The structure of checking the error looks quite suboptimal even when
> we initially support the single "openpgp" at this step.  I would
> have expected you to be writing the above like so:
> 
> 	if (!value)
> 		return config_error_nonbool(var);
> 	if (strcmp(value, "openpgp"))
> 		return error("unsupported value for %s: %s", var, value);
> 	return git_config_string(...);
> 
> That would make it more clear that the variable is "nonbool", which
> does not change across additional support for new formats in later
> steps.

Agreed.

-Peff

Re: [PATCH v3 1/7] gpg-interface: add new config to select how to sign a commit

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1457 bytes --]

On Fri, Jul 13, 2018 at 10:41:23AM +0200, Henning Schild wrote:
> Add "gpg.format" where the user can specify which type of signature to
> use for commits. At the moment only "openpgp" is supported and the value is
> not even used. This commit prepares for a new types of signatures.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  Documentation/config.txt | 4 ++++
>  gpg-interface.c          | 7 +++++++
>  2 files changed, 11 insertions(+)
> 
> diff --git a/Documentation/config.txt b/Documentation/config.txt
> index 1cc18a828..ac373e3f4 100644
> --- a/Documentation/config.txt
> +++ b/Documentation/config.txt
> @@ -1828,6 +1828,10 @@ gpg.program::
>  	signed, and the program is expected to send the result to its
>  	standard output.
>  
> +gpg.format::
> +	Specifies which key format to use when signing with `--gpg-sign`.
> +	Default is "openpgp", that is also the only supported value.

I think, as discussed in the other thread, perhaps a different prefix
for these options is in order if we'd like to plan for the future.
Maybe this could be "signature.format", "sign.format", "signing.format",
or "signingtool.format" (I tend to prefer the former, but not too
strongly).

I anticipate that some projects will prefer other formats, and it makes
it easier if we don't have to maintain two sets of legacy names.
-- 
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 867 bytes --]

Re: [PATCH v3 1/7] gpg-interface: add new config to select how to sign a commit

[Jeff King]

On Tue, Jul 17, 2018 at 12:03:11AM +0000, brian m. carlson wrote:

> > +gpg.format::
> > +	Specifies which key format to use when signing with `--gpg-sign`.
> > +	Default is "openpgp", that is also the only supported value.
> 
> I think, as discussed in the other thread, perhaps a different prefix
> for these options is in order if we'd like to plan for the future.
> Maybe this could be "signature.format", "sign.format", "signing.format",
> or "signingtool.format" (I tend to prefer the former, but not too
> strongly).
> 
> I anticipate that some projects will prefer other formats, and it makes
> it easier if we don't have to maintain two sets of legacy names.

Heh. This is slowly morphing into the original signingtool series.

For the record (since I think my response is what you meant by the
"other thread"), I'm OK with going down this gpg.* road for now, and
dealing with other tools if and when they appear (via the extra level of
indirection).

-Peff

Re: [PATCH v3 5/7] gpg-interface: introduce new config to select per gpg format program

[Henning Schild]

Am Mon, 16 Jul 2018 13:45:40 -0700
schrieb Junio C Hamano <gitster@pobox.com>:

> Henning Schild <henning.schild@siemens.com> writes:
> 
> > +gpg.<format>.program::
> > +	Use this to customize the program used for the signing
> > format you
> > +	chose. (see gpg.program) gpg.openpgp.program is a synonym
> > for the
> > +	legacy gpg.program.  
> 
> I _think_ you meant "see gpg.format", but I am not 100% sure.

No i actually meant program, the next version just refers to both
config options for further reading.

> When X is a synonym for Y, Y is also a synonym for X, so technically
> speaking this does not matter, but when we talk about backward
> compatibility fallback, I think we say "OLDway is retained as a
> legacy synonym for NEWway", i.e. the other way around.
> 
> Also, `typeset in tt` what end-users would type literally, like
> configuration variable names, i.e.
> 
> 	Use this to customize the rpogram used for the signing
> 	format you chose (see `gpg.format`).  `gpg.program` can
> 	still be used as a legacy synonym for `gpg.openpgp.program`.

Used that second sentence.

Henning

> >  gui.commitMsgWidth::
> >  	Defines how wide the commit message window is in the
> >  	linkgit:git-gui[1]. "75" is the default.
> > diff --git a/gpg-interface.c b/gpg-interface.c
> > index 93bd0fb32..f3c22b551 100644
> > --- a/gpg-interface.c
> > +++ b/gpg-interface.c
> > @@ -182,7 +182,7 @@ int git_gpg_config(const char *var, const char
> > *value, void *cb) return 0;
> >  	}
> >  
> > -	if (!strcmp(var, "gpg.program"))
> > +	if (!strcmp(var, "gpg.program") || !strcmp(var,
> > "gpg.openpgp.program")) fmtname = "openpgp";
> >  
> >  	if (fmtname) {  

Re: [PATCH v3 3/7] gpg-interface: introduce an abstraction for multiple gpg formats

[Henning Schild]

Am Mon, 16 Jul 2018 13:40:32 -0700
schrieb Junio C Hamano <gitster@pobox.com>:

> Henning Schild <henning.schild@siemens.com> writes:
> 
> > Create a struct that holds the format details for the supported
> > formats. At the moment that is still just "openpgp". This commit
> > prepares for the introduction of more formats, that might use other
> > programs and match other signatures.
> >
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  gpg-interface.c | 84
> > ++++++++++++++++++++++++++++++++++++++++++--------------- 1 file
> > changed, 63 insertions(+), 21 deletions(-)
> >
> > diff --git a/gpg-interface.c b/gpg-interface.c
> > index 960c40086..699651fd9 100644
> > --- a/gpg-interface.c
> > +++ b/gpg-interface.c
> > @@ -7,11 +7,46 @@
> >  #include "tempfile.h"
> >  
> >  static char *configured_signing_key;
> > -static const char *gpg_format = "openpgp";
> > -static const char *gpg_program = "gpg";
> > +struct gpg_format {
> > +	const char *name;
> > +	const char *program;
> > +	const char **extra_args_verify;
> > +	const char **sigs;
> > +};
> > +
> > +static const char *openpgp_verify_args[] =
> > { "--keyid-format=long", NULL };  
> 
> Let's write it like this, even if the current line is short enough:
> 
> static const char *openpgp_verify_args[] = {
> 	"--keyid-format=long",
> 	NULL
> };
> 
> Ditto for the next one.  Even if you do not expect these two arrays
> to get longer, people tend to copy & paste to imitate existing code
> when making new things, and we definitely would not want them to be
> doing so on a code like the above (or below).  When they need to add
> new elements to their arrays, having the terminating NULL on its own
> line means they will have to see less patch noise.

Ok, for consistency a later patch will introduce { NULL }; on three
lines.

> > +static const char *openpgp_sigs[] = {
> > +	"-----BEGIN PGP SIGNATURE-----",
> > +	"-----BEGIN PGP MESSAGE-----", NULL };
> > +
> > +static struct gpg_format gpg_formats[] = {
> > +	{ .name = "openpgp", .program = "gpg",
> > +	  .extra_args_verify = openpgp_verify_args,  
> 
> If the underlying aray is "verify_args" (not "extra"), perhaps the
> field name should also be .verify_args to match.

Renamed extra_args_verify to verify_args.

> Giving an array of things a name "things[]" is a disease, unless the
> array is very often passed around as a whole to represent the
> collection of everything.  When the array is mostly accessed one
> element at a time, being able to say thing[3] to mean the third
> thing is much more pleasant.
> 
> So, from that point of view, I pretty much agree with
> openpgp_verify_args[] and openpgp_sigs[], but am against
> gpg_formats[].  The last one should be gpg_format[], for which we
> happen to have only one variant right now.

renamed gpg_formats[] to gpg_format[].

> > +	  .sigs = openpgp_sigs
> > +	},
> > +};
> > +static struct gpg_format *current_format = &gpg_formats[0];  
> 
> Have a blank line before the above one.
> 
> What does "current_format" mean?  Is it different from "format to be
> used"?  As we will overwrite the variable upon reading the config,
> we cannot afford to call it default_format, but somehow "current"
> feels misleading, at least to me.  I expected to find "old format"
> elsewhere and there may be some format conversion or something from
> the variable name.
> 
>     static struct gpg_format *use_format = &gpg_format[0];
> 
> perhaps?

renamed current_format to use_format.

> > +
> > +static struct gpg_format *get_format_by_name(const char *str)
> > +{
> > +	int i;
> > +
> > +	for (i = 0; i < ARRAY_SIZE(gpg_formats); i++)
> > +		if (!strcasecmp(gpg_formats[i].name, str))  
> 
> As [1/7], this would become strcmp(), I presume?
> 
> > +			return gpg_formats + i;
> > +	return NULL;
> > +}
> >  
> > -#define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
> > -#define PGP_MESSAGE "-----BEGIN PGP MESSAGE-----"
> > +static struct gpg_format *get_format_by_sig(const char *sig)
> > +{
> > +	int i, j;
> > +
> > +	for (i = 0; i < ARRAY_SIZE(gpg_formats); i++)
> > +		for (j = 0; gpg_formats[i].sigs[j]; j++)
> > +			if (starts_with(sig,
> > gpg_formats[i].sigs[j]))
> > +				return gpg_formats + i;
> > +	return NULL;
> > +}  
> 
> OK.
> 
> > @@ -140,18 +172,23 @@ int git_gpg_config(const char *var, const
> > char *value, void *cb) }
> >  
> >  	if (!strcmp(var, "gpg.format")) {
> > -		if (value && strcasecmp(value, "openpgp"))
> > -			return error("malformed value for %s: %s",
> > var, value);
> > -		return git_config_string(&gpg_format, var, value);
> > -	}
> > -
> > -	if (!strcmp(var, "gpg.program")) {
> >  		if (!value)
> >  			return config_error_nonbool(var);
> > -		gpg_program = xstrdup(value);
> > +		fmt = get_format_by_name(value);
> > +		if (!fmt)
> > +			return error("malformed value for %s: %s",
> > var, value);  
> 
> If I say "opongpg", that probably is not "malformed" (it is all
> lowercase ascii alphabet that is very plausible-looking string), but
> simply "bad value".

Switched to "unsupported value", as suggested in another reply. 

Henning

> But other than the minor nit, yes, this structure is what I expected
> to see from the very first step 1/7.
> 
> > +		current_format = fmt;
> >  		return 0;
> >  	}  
> 
> >  
> > +	if (!strcmp(var, "gpg.program"))
> > +		fmtname = "openpgp";  
> 
> OK, this is a backward compatibility measure to treat gpg.program as
> if it were gpg.openpgp.program, which makes sense.
> 
> > +	if (fmtname) {
> > +		fmt = get_format_by_name(fmtname);
> > +		return git_config_string(&fmt->program, var,
> > value);
> > +	}
> > +
> >  	return 0;
> >  }  

Re: [PATCH v3 1/7] gpg-interface: add new config to select how to sign a commit

[Henning Schild]

Am Mon, 16 Jul 2018 13:14:34 -0700
schrieb Junio C Hamano <gitster@pobox.com>:

> Henning Schild <henning.schild@siemens.com> writes:
> 
> > Add "gpg.format" where the user can specify which type of signature
> > to use for commits. At the moment only "openpgp" is supported and
> > the value is not even used. This commit prepares for a new types of
> > signatures.
> >
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  Documentation/config.txt | 4 ++++
> >  gpg-interface.c          | 7 +++++++
> >  2 files changed, 11 insertions(+)
> >
> > diff --git a/Documentation/config.txt b/Documentation/config.txt
> > index 1cc18a828..ac373e3f4 100644
> > --- a/Documentation/config.txt
> > +++ b/Documentation/config.txt
> > @@ -1828,6 +1828,10 @@ gpg.program::
> >  	signed, and the program is expected to send the result to
> > its standard output.
> >  
> > +gpg.format::
> > +	Specifies which key format to use when signing with
> > `--gpg-sign`.
> > +	Default is "openpgp", that is also the only supported
> > value. +
> >  gui.commitMsgWidth::
> >  	Defines how wide the commit message window is in the
> >  	linkgit:git-gui[1]. "75" is the default.
> > diff --git a/gpg-interface.c b/gpg-interface.c
> > index 09ddfbc26..960c40086 100644
> > --- a/gpg-interface.c
> > +++ b/gpg-interface.c
> > @@ -7,6 +7,7 @@
> >  #include "tempfile.h"
> >  
> >  static char *configured_signing_key;
> > +static const char *gpg_format = "openpgp";
> >  static const char *gpg_program = "gpg";
> >  
> >  #define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
> > @@ -138,6 +139,12 @@ int git_gpg_config(const char *var, const char
> > *value, void *cb) return 0;
> >  	}
> >  
> > +	if (!strcmp(var, "gpg.format")) {
> > +		if (value && strcasecmp(value, "openpgp"))
> > +			return error("malformed value for %s: %s",
> > var, value);
> > +		return git_config_string(&gpg_format, var,
> > value);  
> 
> I may be mistaken (sorry, I read so many topics X-<) but I think the
> consensus was to accept only "openpgp" so that we can ensure that
> 
> 	[gpg "openpgp"] program = foo
> 
> etc. can be parsed more naturally without having to manually special
> case the subsection name to be case insensitive.  In other words,
> strcasecmp() should just be strcmp().  Otherwise, people would get a
> wrong expectation that
> 
> 	[gpg] format = OpenPGP
> 	[gpg "openpgp"] program = foo
> 
> should refer to the same and single OpenPGP, but that would violate
> the usual configuration syntax rules.

Ok, also having read the other mails i think we are still at
gpg.format and gpg.<format>.program, so i switched the two patches from
strcasecmp back to strcmp.

> The structure of checking the error looks quite suboptimal even when
> we initially support the single "openpgp" at this step.  I would
> have expected you to be writing the above like so:
> 
> 	if (!value)
> 		return config_error_nonbool(var);
> 	if (strcmp(value, "openpgp"))
> 		return error("unsupported value for %s: %s", var,
> value); return git_config_string(...);
> 
> That would make it more clear that the variable is "nonbool", which
> does not change across additional support for new formats in later
> steps.

Right, at one point (not mailed) i had that but expected it would not
pass the review, since git_config_string contains that check as well.
Changed.

Henning
 
> > +	}
> > +
> >  	if (!strcmp(var, "gpg.program")) {
> >  		if (!value)
> >  			return config_error_nonbool(var);