diff options
| author | Sebastian Götte <jaseg@physik.tu-berlin.de> | 2013-03-31 18:02:46 +0200 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2013-03-31 22:38:49 -0700 |
| commit | eb307ae7bb78ccde4e2ac69f302ccf8834883628 (patch) | |
| tree | 40bed8e400a5208b7c81ff94752133818014da6b | |
| parent | efed0022492b81bf59d29193c4ffe96492dd9e9b (diff) | |
| download | git-eb307ae7bb78ccde4e2ac69f302ccf8834883628.tar.gz git-eb307ae7bb78ccde4e2ac69f302ccf8834883628.tar.xz | |
merge/pull Check for untrusted good GPG signatures
When --verify-signatures is specified, abort the merge in case a good
GPG signature from an untrusted key is encountered.
Signed-off-by: Sebastian Götte <jaseg@physik-pool.tu-berlin.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | Documentation/merge-options.txt | 4 | ||||
| -rw-r--r-- | builtin/merge.c | 3 | ||||
| -rw-r--r-- | commit.c | 14 | ||||
| -rw-r--r-- | commit.h | 10 | ||||
| -rw-r--r-- | gpg-interface.h | 1 | ||||
| -rw-r--r-- | t/lib-gpg/pubring.gpg | bin | 1164 -> 2359 bytes | |||
| -rw-r--r-- | t/lib-gpg/random_seed | bin | 600 -> 600 bytes | |||
| -rw-r--r-- | t/lib-gpg/secring.gpg | bin | 1237 -> 3734 bytes | |||
| -rw-r--r-- | t/lib-gpg/trustdb.gpg | bin | 1280 -> 1360 bytes | |||
| -rwxr-xr-x | t/t7612-merge-verify-signatures.sh | 9 |
10 files changed, 29 insertions, 12 deletions
diff --git a/Documentation/merge-options.txt b/Documentation/merge-options.txt index 31f106752..a0f022b41 100644 --- a/Documentation/merge-options.txt +++ b/Documentation/merge-options.txt @@ -85,8 +85,8 @@ option can be used to override --squash. --verify-signatures:: --no-verify-signatures:: - Verify that the commits being merged have good GPG signatures and abort the - merge in case they do not. + Verify that the commits being merged have good and trusted GPG signatures + and abort the merge in case they do not. --summary:: --no-summary:: diff --git a/builtin/merge.c b/builtin/merge.c index e57c42c62..bac11d160 100644 --- a/builtin/merge.c +++ b/builtin/merge.c @@ -1248,6 +1248,9 @@ int cmd_merge(int argc, const char **argv, const char *prefix) switch (signature_check.result) { case 'G': break; + case 'U': + die(_("Commit %s has an untrusted GPG signature, " + "allegedly by %s."), hex, signature_check.signer); case 'B': die(_("Commit %s has a bad GPG signature " "allegedly by %s."), hex, signature_check.signer); @@ -1047,6 +1047,8 @@ static struct { } sigcheck_gpg_status[] = { { 'G', "\n[GNUPG:] GOODSIG " }, { 'B', "\n[GNUPG:] BADSIG " }, + { 'U', "\n[GNUPG:] TRUST_NEVER" }, + { 'U', "\n[GNUPG:] TRUST_UNDEFINED" }, }; static void parse_gpg_output(struct signature_check *sigc) @@ -1068,11 +1070,13 @@ static void parse_gpg_output(struct signature_check *sigc) found += strlen(sigcheck_gpg_status[i].check); } sigc->result = sigcheck_gpg_status[i].result; - sigc->key = xmemdupz(found, 16); - found += 17; - next = strchrnul(found, '\n'); - sigc->signer = xmemdupz(found, next - found); - break; + /* The trust messages are not followed by key/signer information */ + if (sigc->result != 'U') { + sigc->key = xmemdupz(found, 16); + found += 17; + next = strchrnul(found, '\n'); + sigc->signer = xmemdupz(found, next - found); + } } } @@ -234,11 +234,11 @@ extern void print_commit_list(struct commit_list *list, const char *format_last); /* - * Check the signature of the given commit. The result of the check is stored in - * sig->result, 'G' for a good signature, 'B' for a bad signature and 'N' - * for no signature at all. - * This may allocate memory for sig->gpg_output, sig->gpg_status, sig->signer - * and sig->key. + * Check the signature of the given commit. The result of the check is stored + * in sig->check_result, 'G' for a good signature, 'U' for a good signature + * from an untrusted signer, 'B' for a bad signature and 'N' for no signature + * at all. This may allocate memory for sig->gpg_output, sig->gpg_status, + * sig->signer and sig->key. */ extern void check_commit_signature(const struct commit* commit, struct signature_check *sigc); diff --git a/gpg-interface.h b/gpg-interface.h index 5884aa405..a85cb5bc9 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -6,6 +6,7 @@ struct signature_check { char *gpg_status; char result; /* 0 (not checked), * N (checked but no further result), + * U (untrusted good), * G (good) * B (bad) */ char *signer; diff --git a/t/lib-gpg/pubring.gpg b/t/lib-gpg/pubring.gpg Binary files differindex 83855fa4e..1a3c2d487 100644 --- a/t/lib-gpg/pubring.gpg +++ b/t/lib-gpg/pubring.gpg diff --git a/t/lib-gpg/random_seed b/t/lib-gpg/random_seed Binary files differindex 8fed1339e..95d249f15 100644 --- a/t/lib-gpg/random_seed +++ b/t/lib-gpg/random_seed diff --git a/t/lib-gpg/secring.gpg b/t/lib-gpg/secring.gpg Binary files differindex d831cd9eb..82dca8f80 100644 --- a/t/lib-gpg/secring.gpg +++ b/t/lib-gpg/secring.gpg diff --git a/t/lib-gpg/trustdb.gpg b/t/lib-gpg/trustdb.gpg Binary files differindex abace962b..4879ae9a8 100644 --- a/t/lib-gpg/trustdb.gpg +++ b/t/lib-gpg/trustdb.gpg diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh index 6ccfbf367..21a0bf8fb 100755 --- a/t/t7612-merge-verify-signatures.sh +++ b/t/t7612-merge-verify-signatures.sh @@ -27,6 +27,10 @@ test_expect_success GPG 'create signed commits' ' git hash-object -w -t commit forged >forged.commit && git checkout initial && + git checkout -b side-untrusted && + echo 3 >baz && git add baz && + test_tick && git commit -SB7227189 -m "untrusted on side" + git checkout master ' @@ -40,6 +44,11 @@ test_expect_success GPG 'merge commit with bad signature with verification' ' test_i18ngrep "has a bad GPG signature" mergeerror ' +test_expect_success GPG 'merge commit with untrusted signature with verification' ' + test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror && + test_i18ngrep "has an untrusted GPG signature" mergeerror +' + test_expect_success GPG 'merge signed commit with verification' ' git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput && test_i18ngrep "has a good GPG signature" mergeoutput |