gpg: centralize signature check

verify-commit and verify-tag both share a central codepath for verifying commits: check_signature. However, verify-tag exited successfully for untrusted signature, while verify-commit exited unsuccessfully. Centralize this signature check and make verify-commit adopt the older verify-tag behavior. This behavior is more logical anyway, as the signature is in fact valid, whether or not there's a path of trust to the author. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
10 years ago · 434060ec6d
7 changed files with 18 additions and 10 deletions
--- a/builtin/verify-commit.c
+++ b/builtin/verify-commit.c
@ -21,10 +21,11 @@ static const char * const verify_commit_usage[] = {
				@@ -21,10 +21,11 @@ static const char * const verify_commit_usage[] = {
 static int run_gpg_verify(const unsigned char *sha1, const char *buf, unsigned long size, int verbose)
 {
 	struct signature_check signature_check;
+	int ret;

 	memset(&signature_check, 0, sizeof(signature_check));

-	check_commit_signature(lookup_commit(sha1), &signature_check);
+	ret = check_commit_signature(lookup_commit(sha1), &signature_check);

 	if (verbose && signature_check.payload)
 		fputs(signature_check.payload, stdout);
@ -33,7 +34,7 @@ static int run_gpg_verify(const unsigned char *sha1, const char *buf, unsigned l
				@@ -33,7 +34,7 @@ static int run_gpg_verify(const unsigned char *sha1, const char *buf, unsigned l
 		fputs(signature_check.gpg_output, stderr);

 	signature_check_clear(&signature_check);
-	return signature_check.result != 'G';
+	return ret;
 }

 static int verify_commit(const char *name, int verbose)
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@ -22,6 +22,7 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
				@@ -22,6 +22,7 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
 {
 	struct signature_check sigc;
 	int len;
+	int ret;

 	memset(&sigc, 0, sizeof(sigc));

@ -32,11 +33,11 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
				@@ -32,11 +33,11 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
 	if (size == len)
 		return error("no signature found");

-	check_signature(buf, len, buf + len, size - len, &sigc);
+	ret = check_signature(buf, len, buf + len, size - len, &sigc);
 	fputs(sigc.gpg_output, stderr);

 	signature_check_clear(&sigc);
-	return sigc.result != 'G' && sigc.result != 'U';
+	return ret;
 }

 static int verify_tag(const char *name, int verbose)
--- a/commit.c
+++ b/commit.c
@ -1227,20 +1227,24 @@ free_return:
				@@ -1227,20 +1227,24 @@ free_return:
 	free(buf);
 }

-void check_commit_signature(const struct commit *commit, struct signature_check *sigc)
+int check_commit_signature(const struct commit *commit, struct signature_check *sigc)
 {
 	struct strbuf payload = STRBUF_INIT;
 	struct strbuf signature = STRBUF_INIT;
+	int ret = 1;

 	sigc->result = 'N';

 	if (parse_signed_commit(commit, &payload, &signature) <= 0)
 		goto out;
-	check_signature(payload.buf, payload.len, signature.buf, signature.len, sigc);
+	ret = check_signature(payload.buf, payload.len, signature.buf,
+		signature.len, sigc);

 out:
 	strbuf_release(&payload);
 	strbuf_release(&signature);
+
+	return ret;
 }


--- a/commit.h
+++ b/commit.h
@ -375,7 +375,7 @@ extern void print_commit_list(struct commit_list *list,
				@@ -375,7 +375,7 @@ extern void print_commit_list(struct commit_list *list,
 * at all.  This may allocate memory for sig->gpg_output, sig->gpg_status,
 * sig->signer and sig->key.
 */
-extern void check_commit_signature(const struct commit *commit, struct signature_check *sigc);
+extern int check_commit_signature(const struct commit *commit, struct signature_check *sigc);

 int compare_commits_by_commit_date(const void *a_, const void *b_, void *unused);

--- a/gpg-interface.c
+++ b/gpg-interface.c
@ -60,7 +60,7 @@ void parse_gpg_output(struct signature_check *sigc)
				@@ -60,7 +60,7 @@ void parse_gpg_output(struct signature_check *sigc)
 	}
 }

-void check_signature(const char *payload, size_t plen, const char *signature,
+int check_signature(const char *payload, size_t plen, const char *signature,
 	size_t slen, struct signature_check *sigc)
 {
 	struct strbuf gpg_output = STRBUF_INIT;
@ -81,6 +81,8 @@ void check_signature(const char *payload, size_t plen, const char *signature,
				@@ -81,6 +81,8 @@ void check_signature(const char *payload, size_t plen, const char *signature,
 out:
 	strbuf_release(&gpg_status);
 	strbuf_release(&gpg_output);
+
+	return sigc->result != 'G' && sigc->result != 'U';
 }

 /*
--- a/gpg-interface.h
+++ b/gpg-interface.h
@ -27,7 +27,7 @@ extern int verify_signed_buffer(const char *payload, size_t payload_size, const
				@@ -27,7 +27,7 @@ extern int verify_signed_buffer(const char *payload, size_t payload_size, const
 extern int git_gpg_config(const char *, const char *, void *);
 extern void set_signing_key(const char *);
 extern const char *get_signing_key(void);
-extern void check_signature(const char *payload, size_t plen,
+extern int check_signature(const char *payload, size_t plen,
 	const char *signature, size_t slen, struct signature_check *sigc);

 #endif
--- a/t/t7510-signed-commit.sh
+++ b/t/t7510-signed-commit.sh
@ -81,7 +81,7 @@ test_expect_success GPG 'verify and show signatures' '
				@@ -81,7 +81,7 @@ test_expect_success GPG 'verify and show signatures' '
 	)
 '

-test_expect_failure GPG 'verify-commit exits success on untrusted signature' '
+test_expect_success GPG 'verify-commit exits success on untrusted signature' '
 	git verify-commit eighth-signed-alt 2>actual &&
 	grep "Good signature from" actual &&
 	! grep "BAD signature from" actual &&