t / t7030-verify-tag.shon commit t/lib-submodule-update: use appropriate length constant (76c2389)
   1#!/bin/sh
   2
   3test_description='signed tag tests'
   4. ./test-lib.sh
   5. "$TEST_DIRECTORY/lib-gpg.sh"
   6
   7test_expect_success GPG 'create signed tags' '
   8        echo 1 >file && git add file &&
   9        test_tick && git commit -m initial &&
  10        git tag -s -m initial initial &&
  11        git branch side &&
  12
  13        echo 2 >file && test_tick && git commit -a -m second &&
  14        git tag -s -m second second &&
  15
  16        git checkout side &&
  17        echo 3 >elif && git add elif &&
  18        test_tick && git commit -m "third on side" &&
  19
  20        git checkout master &&
  21        test_tick && git merge -S side &&
  22        git tag -s -m merge merge &&
  23
  24        echo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" &&
  25        git tag -a -m fourth-unsigned fourth-unsigned &&
  26
  27        test_tick && git commit --amend -S -m "fourth signed" &&
  28        git tag -s -m fourth fourth-signed &&
  29
  30        echo 5 >file && test_tick && git commit -a -m "fifth" &&
  31        git tag fifth-unsigned &&
  32
  33        git config commit.gpgsign true &&
  34        echo 6 >file && test_tick && git commit -a -m "sixth" &&
  35        git tag -a -m sixth sixth-unsigned &&
  36
  37        test_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ &&
  38        git tag -m seventh -s seventh-signed &&
  39
  40        echo 8 >file && test_tick && git commit -a -m eighth &&
  41        git tag -uB7227189 -m eighth eighth-signed-alt
  42'
  43
  44test_expect_success GPGSM 'create signed tags x509 ' '
  45        test_config gpg.format x509 &&
  46        test_config user.signingkey $GIT_COMMITTER_EMAIL &&
  47        echo 9 >file && test_tick && git commit -a -m "nineth gpgsm-signed" &&
  48        git tag -s -m nineth nineth-signed-x509
  49'
  50
  51test_expect_success GPG 'verify and show signatures' '
  52        (
  53                for tag in initial second merge fourth-signed sixth-signed seventh-signed
  54                do
  55                        git verify-tag $tag 2>actual &&
  56                        grep "Good signature from" actual &&
  57                        ! grep "BAD signature from" actual &&
  58                        echo $tag OK || exit 1
  59                done
  60        ) &&
  61        (
  62                for tag in fourth-unsigned fifth-unsigned sixth-unsigned
  63                do
  64                        test_must_fail git verify-tag $tag 2>actual &&
  65                        ! grep "Good signature from" actual &&
  66                        ! grep "BAD signature from" actual &&
  67                        echo $tag OK || exit 1
  68                done
  69        ) &&
  70        (
  71                for tag in eighth-signed-alt
  72                do
  73                        git verify-tag $tag 2>actual &&
  74                        grep "Good signature from" actual &&
  75                        ! grep "BAD signature from" actual &&
  76                        grep "not certified" actual &&
  77                        echo $tag OK || exit 1
  78                done
  79        )
  80'
  81
  82test_expect_success GPGSM 'verify and show signatures x509' '
  83        git verify-tag nineth-signed-x509 2>actual &&
  84        grep "Good signature from" actual &&
  85        ! grep "BAD signature from" actual &&
  86        echo nineth-signed-x509 OK
  87'
  88
  89test_expect_success GPG 'detect fudged signature' '
  90        git cat-file tag seventh-signed >raw &&
  91        sed -e "/^tag / s/seventh/7th forged/" raw >forged1 &&
  92        git hash-object -w -t tag forged1 >forged1.tag &&
  93        test_must_fail git verify-tag $(cat forged1.tag) 2>actual1 &&
  94        grep "BAD signature from" actual1 &&
  95        ! grep "Good signature from" actual1
  96'
  97
  98test_expect_success GPG 'verify signatures with --raw' '
  99        (
 100                for tag in initial second merge fourth-signed sixth-signed seventh-signed
 101                do
 102                        git verify-tag --raw $tag 2>actual &&
 103                        grep "GOODSIG" actual &&
 104                        ! grep "BADSIG" actual &&
 105                        echo $tag OK || exit 1
 106                done
 107        ) &&
 108        (
 109                for tag in fourth-unsigned fifth-unsigned sixth-unsigned
 110                do
 111                        test_must_fail git verify-tag --raw $tag 2>actual &&
 112                        ! grep "GOODSIG" actual &&
 113                        ! grep "BADSIG" actual &&
 114                        echo $tag OK || exit 1
 115                done
 116        ) &&
 117        (
 118                for tag in eighth-signed-alt
 119                do
 120                        git verify-tag --raw $tag 2>actual &&
 121                        grep "GOODSIG" actual &&
 122                        ! grep "BADSIG" actual &&
 123                        grep "TRUST_UNDEFINED" actual &&
 124                        echo $tag OK || exit 1
 125                done
 126        )
 127'
 128
 129test_expect_success GPGSM 'verify signatures with --raw x509' '
 130        git verify-tag --raw nineth-signed-x509 2>actual &&
 131        grep "GOODSIG" actual &&
 132        ! grep "BADSIG" actual &&
 133        echo nineth-signed-x509 OK
 134'
 135
 136test_expect_success GPG 'verify multiple tags' '
 137        tags="fourth-signed sixth-signed seventh-signed" &&
 138        for i in $tags
 139        do
 140                git verify-tag -v --raw $i || return 1
 141        done >expect.stdout 2>expect.stderr.1 &&
 142        grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
 143        git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
 144        grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
 145        test_cmp expect.stdout actual.stdout &&
 146        test_cmp expect.stderr actual.stderr
 147'
 148
 149test_expect_success GPGSM 'verify multiple tags x509' '
 150        tags="seventh-signed nineth-signed-x509" &&
 151        for i in $tags
 152        do
 153                git verify-tag -v --raw $i || return 1
 154        done >expect.stdout 2>expect.stderr.1 &&
 155        grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
 156        git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
 157        grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
 158        test_cmp expect.stdout actual.stdout &&
 159        test_cmp expect.stderr actual.stderr
 160'
 161
 162test_expect_success GPG 'verifying tag with --format' '
 163        cat >expect <<-\EOF &&
 164        tagname : fourth-signed
 165        EOF
 166        git verify-tag --format="tagname : %(tag)" "fourth-signed" >actual &&
 167        test_cmp expect actual
 168'
 169
 170test_expect_success GPG 'verifying a forged tag with --format should fail silently' '
 171        test_must_fail git verify-tag --format="tagname : %(tag)" $(cat forged1.tag) >actual-forged &&
 172        test_must_be_empty actual-forged
 173'
 174
 175test_done