From ca779e82c9f263dfdea2a73a4f5494b37bc8aae7 Mon Sep 17 00:00:00 2001 From: Hans Jerry Illikainen Date: Sun, 10 Dec 2017 06:53:57 +0000 Subject: [PATCH 1/3] merge: add config option for verifySignatures git merge --verify-signatures can be used to verify that the tip commit of the branch being merged in is properly signed, but it's cumbersome to have to specify that every time. Add a configuration option that enables this behaviour by default, which can be overridden by --no-verify-signatures. Signed-off-by: Hans Jerry Illikainen Signed-off-by: Junio C Hamano --- Documentation/merge-config.txt | 4 +++ builtin/merge.c | 2 ++ t/t7612-merge-verify-signatures.sh | 39 ++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/Documentation/merge-config.txt b/Documentation/merge-config.txt index df3ea3779b..12b6bbf591 100644 --- a/Documentation/merge-config.txt +++ b/Documentation/merge-config.txt @@ -26,6 +26,10 @@ merge.ff:: allowed (equivalent to giving the `--ff-only` option from the command line). +merge.verifySignatures:: + If true, this is equivalent to the --verify-signatures command + line option. See linkgit:git-merge[1] for details. + include::fmt-merge-msg-config.txt[] merge.renameLimit:: diff --git a/builtin/merge.c b/builtin/merge.c index 612dd7bfb6..30264cfd7c 100644 --- a/builtin/merge.c +++ b/builtin/merge.c @@ -567,6 +567,8 @@ static int git_merge_config(const char *k, const char *v, void *cb) if (!strcmp(k, "merge.diffstat") || !strcmp(k, "merge.stat")) show_diffstat = git_config_bool(k, v); + else if (!strcmp(k, "merge.verifysignatures")) + verify_signatures = git_config_bool(k, v); else if (!strcmp(k, "pull.twohead")) return git_config_string(&pull_twohead, k, v); else if (!strcmp(k, "pull.octopus")) diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh index 8ae69a61c3..2344995a11 100755 --- a/t/t7612-merge-verify-signatures.sh +++ b/t/t7612-merge-verify-signatures.sh @@ -39,23 +39,62 @@ test_expect_success GPG 'merge unsigned commit with verification' ' test_i18ngrep "does not have a GPG signature" mergeerror ' +test_expect_success GPG 'merge unsigned commit with merge.verifySignatures=true' ' + test_config merge.verifySignatures true && + test_must_fail git merge --ff-only side-unsigned 2>mergeerror && + test_i18ngrep "does not have a GPG signature" mergeerror +' + test_expect_success GPG 'merge commit with bad signature with verification' ' test_must_fail git merge --ff-only --verify-signatures $(cat forged.commit) 2>mergeerror && test_i18ngrep "has a bad GPG signature" mergeerror ' +test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true' ' + test_config merge.verifySignatures true && + test_must_fail git merge --ff-only $(cat forged.commit) 2>mergeerror && + test_i18ngrep "has a bad GPG signature" mergeerror +' + test_expect_success GPG 'merge commit with untrusted signature with verification' ' test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror && test_i18ngrep "has an untrusted GPG signature" mergeerror ' +test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' ' + test_config merge.verifySignatures true && + test_must_fail git merge --ff-only side-untrusted 2>mergeerror && + test_i18ngrep "has an untrusted GPG signature" mergeerror +' + test_expect_success GPG 'merge signed commit with verification' ' + test_when_finished "git checkout initial" && git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput && test_i18ngrep "has a good GPG signature" mergeoutput ' +test_expect_success GPG 'merge signed commit with merge.verifySignatures=true' ' + test_when_finished "git checkout initial" && + test_config merge.verifySignatures true && + git merge --verbose --ff-only side-signed >mergeoutput && + test_i18ngrep "has a good GPG signature" mergeoutput +' + test_expect_success GPG 'merge commit with bad signature without verification' ' + test_when_finished "git checkout initial" && git merge $(cat forged.commit) ' +test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=false' ' + test_when_finished "git checkout initial" && + test_config merge.verifySignatures false && + git merge $(cat forged.commit) +' + +test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true and --no-verify-signatures' ' + test_when_finished "git checkout initial" && + test_config merge.verifySignatures true && + git merge --no-verify-signatures $(cat forged.commit) +' + test_done From 7f8ca20a44094dda6e6c74013a36c078cbffc548 Mon Sep 17 00:00:00 2001 From: Hans Jerry Illikainen Date: Sun, 10 Dec 2017 06:53:58 +0000 Subject: [PATCH 2/3] t: add tests for pull --verify-signatures Add tests for pull --verify-signatures with untrusted, bad and no signatures. Previously the only test for --verify-signatures was to make sure that pull --rebase --verify-signatures result in a warning (t5520-pull.sh). Signed-off-by: Hans Jerry Illikainen Signed-off-by: Junio C Hamano --- t/t5573-pull-verify-signatures.sh | 78 +++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100755 t/t5573-pull-verify-signatures.sh diff --git a/t/t5573-pull-verify-signatures.sh b/t/t5573-pull-verify-signatures.sh new file mode 100755 index 0000000000..8ae331f40e --- /dev/null +++ b/t/t5573-pull-verify-signatures.sh @@ -0,0 +1,78 @@ +#!/bin/sh + +test_description='pull signature verification tests' +. ./test-lib.sh +. "$TEST_DIRECTORY/lib-gpg.sh" + +test_expect_success GPG 'create repositories with signed commits' ' + echo 1 >a && git add a && + test_tick && git commit -m initial && + git tag initial && + + git clone . signed && + ( + cd signed && + echo 2 >b && git add b && + test_tick && git commit -S -m "signed" + ) && + + git clone . unsigned && + ( + cd unsigned && + echo 3 >c && git add c && + test_tick && git commit -m "unsigned" + ) && + + git clone . bad && + ( + cd bad && + echo 4 >d && git add d && + test_tick && git commit -S -m "bad" && + git cat-file commit HEAD >raw && + sed -e "s/bad/forged bad/" raw >forged && + git hash-object -w -t commit forged >forged.commit && + git checkout $(cat forged.commit) + ) && + + git clone . untrusted && + ( + cd untrusted && + echo 5 >e && git add e && + test_tick && git commit -SB7227189 -m "untrusted" + ) +' + +test_expect_success GPG 'pull unsigned commit with --verify-signatures' ' + test_must_fail git pull --ff-only --verify-signatures unsigned 2>pullerror && + test_i18ngrep "does not have a GPG signature" pullerror +' + +test_expect_success GPG 'pull commit with bad signature with --verify-signatures' ' + test_must_fail git pull --ff-only --verify-signatures bad 2>pullerror && + test_i18ngrep "has a bad GPG signature" pullerror +' + +test_expect_success GPG 'pull commit with untrusted signature with --verify-signatures' ' + test_must_fail git pull --ff-only --verify-signatures untrusted 2>pullerror && + test_i18ngrep "has an untrusted GPG signature" pullerror +' + +test_expect_success GPG 'pull signed commit with --verify-signatures' ' + test_when_finished "git checkout initial" && + git pull --verify-signatures signed >pulloutput && + test_i18ngrep "has a good GPG signature" pulloutput +' + +test_expect_success GPG 'pull commit with bad signature without verification' ' + test_when_finished "git checkout initial" && + git pull --ff-only bad 2>pullerror +' + +test_expect_success GPG 'pull commit with bad signature with --no-verify-signatures' ' + test_when_finished "git checkout initial" && + test_config merge.verifySignatures true && + test_config pull.verifySignatures true && + git pull --ff-only --no-verify-signatures bad 2>pullerror +' + +test_done From fb2afea366044fc2b4fff9929a06a1ca36f506df Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 15 Dec 2017 11:42:36 -0800 Subject: [PATCH 3/3] t5573, t7612: clean up after unexpected success of 'pull' and 'merge' The previous steps added test_when_finished to tests that run 'git pull' or 'git merge' with expectation of success, so that the test after them can start from a known state even when their 'git pull' invocation unexpectedly fails. However, tests that run 'git pull' or 'git merge' expecting it not to succeed forgot to protect later tests the same way---if they unexpectedly succeed, the test after them would start from an unexpected state. Reset and checkout the initial commit after all these tests, whether they expect their invocations to succeed or fail. Signed-off-by: Junio C Hamano --- t/t5573-pull-verify-signatures.sh | 9 ++++++--- t/t7612-merge-verify-signatures.sh | 16 +++++++++++----- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/t/t5573-pull-verify-signatures.sh b/t/t5573-pull-verify-signatures.sh index 8ae331f40e..9594e891f4 100755 --- a/t/t5573-pull-verify-signatures.sh +++ b/t/t5573-pull-verify-signatures.sh @@ -43,33 +43,36 @@ test_expect_success GPG 'create repositories with signed commits' ' ' test_expect_success GPG 'pull unsigned commit with --verify-signatures' ' + test_when_finished "git reset --hard && git checkout initial" && test_must_fail git pull --ff-only --verify-signatures unsigned 2>pullerror && test_i18ngrep "does not have a GPG signature" pullerror ' test_expect_success GPG 'pull commit with bad signature with --verify-signatures' ' + test_when_finished "git reset --hard && git checkout initial" && test_must_fail git pull --ff-only --verify-signatures bad 2>pullerror && test_i18ngrep "has a bad GPG signature" pullerror ' test_expect_success GPG 'pull commit with untrusted signature with --verify-signatures' ' + test_when_finished "git reset --hard && git checkout initial" && test_must_fail git pull --ff-only --verify-signatures untrusted 2>pullerror && test_i18ngrep "has an untrusted GPG signature" pullerror ' test_expect_success GPG 'pull signed commit with --verify-signatures' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && git pull --verify-signatures signed >pulloutput && test_i18ngrep "has a good GPG signature" pulloutput ' test_expect_success GPG 'pull commit with bad signature without verification' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && git pull --ff-only bad 2>pullerror ' test_expect_success GPG 'pull commit with bad signature with --no-verify-signatures' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && test_config pull.verifySignatures true && git pull --ff-only --no-verify-signatures bad 2>pullerror diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh index 2344995a11..e797c74112 100755 --- a/t/t7612-merge-verify-signatures.sh +++ b/t/t7612-merge-verify-signatures.sh @@ -35,64 +35,70 @@ test_expect_success GPG 'create signed commits' ' ' test_expect_success GPG 'merge unsigned commit with verification' ' + test_when_finished "git reset --hard && git checkout initial" && test_must_fail git merge --ff-only --verify-signatures side-unsigned 2>mergeerror && test_i18ngrep "does not have a GPG signature" mergeerror ' test_expect_success GPG 'merge unsigned commit with merge.verifySignatures=true' ' + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && test_must_fail git merge --ff-only side-unsigned 2>mergeerror && test_i18ngrep "does not have a GPG signature" mergeerror ' test_expect_success GPG 'merge commit with bad signature with verification' ' + test_when_finished "git reset --hard && git checkout initial" && test_must_fail git merge --ff-only --verify-signatures $(cat forged.commit) 2>mergeerror && test_i18ngrep "has a bad GPG signature" mergeerror ' test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true' ' + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && test_must_fail git merge --ff-only $(cat forged.commit) 2>mergeerror && test_i18ngrep "has a bad GPG signature" mergeerror ' test_expect_success GPG 'merge commit with untrusted signature with verification' ' + test_when_finished "git reset --hard && git checkout initial" && test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror && test_i18ngrep "has an untrusted GPG signature" mergeerror ' test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' ' + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && test_must_fail git merge --ff-only side-untrusted 2>mergeerror && test_i18ngrep "has an untrusted GPG signature" mergeerror ' test_expect_success GPG 'merge signed commit with verification' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput && test_i18ngrep "has a good GPG signature" mergeoutput ' test_expect_success GPG 'merge signed commit with merge.verifySignatures=true' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && git merge --verbose --ff-only side-signed >mergeoutput && test_i18ngrep "has a good GPG signature" mergeoutput ' test_expect_success GPG 'merge commit with bad signature without verification' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && git merge $(cat forged.commit) ' test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=false' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures false && git merge $(cat forged.commit) ' test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true and --no-verify-signatures' ' - test_when_finished "git checkout initial" && + test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && git merge --no-verify-signatures $(cat forged.commit) '