kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity
Browse Source

gpg-interface: remove other signature headers before verifying 

When we have a multiply signed commit, we need to remove the signature
in the header before verifying the object, since the trailing signature
will not be over both pieces of data.  Do so, and verify that we
validate the signature appropriately.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
maint
brian m. carlson 4 years ago committed by Junio C Hamano
parent
88bce0e24c
commit
9b27b49240
2 changed files with 27 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      gpg-interface.c
  2. 25
      t/t7004-tag.sh

2
gpg-interface.c
Unescape View File

@ -1,4 +1,5 @@ @@ -1,4 +1,5 @@
#include "cache.h"
#include "commit.h"
#include "config.h"
#include "run-command.h"
#include "strbuf.h"
@ -366,6 +367,7 @@ int parse_signature(const char *buf, size_t size, struct strbuf *payload, struct @@ -366,6 +367,7 @@ int parse_signature(const char *buf, size_t size, struct strbuf *payload, struct
size_t match = parse_signed_buffer(buf, size);
if (match != size) {
strbuf_add(payload, buf, match);
remove_signature(payload);
strbuf_add(signature, buf + match, size - match);
return 1;
}

25
t/t7004-tag.sh
Unescape View File

@ -17,6 +17,13 @@ tag_exists () { @@ -17,6 +17,13 @@ tag_exists () {
git show-ref --quiet --verify refs/tags/"$1"
}

test_expect_success 'setup' '
test_oid_cache <<-EOM
othersigheader sha1:gpgsig-sha256
othersigheader sha256:gpgsig
EOM
'

test_expect_success 'listing all tags in an empty tree should succeed' '
git tag -l &&
git tag
@ -1371,6 +1378,24 @@ test_expect_success GPG \ @@ -1371,6 +1378,24 @@ test_expect_success GPG \
'test_config gpg.program echo &&
test_must_fail git tag -s -m tail tag-gpg-failure'

# try to produce invalid signature
test_expect_success GPG 'git verifies tag is valid with double signature' '
git tag -s -m tail tag-gpg-double-sig &&
git cat-file tag tag-gpg-double-sig >tag &&
othersigheader=$(test_oid othersigheader) &&
sed -ne "/^\$/q;p" tag >new-tag &&
cat <<-EOM >>new-tag &&
$othersigheader -----BEGIN PGP SIGNATURE-----
someinvaliddata
-----END PGP SIGNATURE-----
EOM
sed -e "1,/^tagger/d" tag >>new-tag &&
new_tag=$(git hash-object -t tag -w new-tag) &&
git update-ref refs/tags/tag-gpg-double-sig $new_tag &&
git verify-tag tag-gpg-double-sig &&
git fsck
'

# try to sign with bad user.signingkey
test_expect_success GPGSM \
'git tag -s fails if gpgsm is misconfigured (bad key)' \

Write Preview
Loading…
Cancel
Save