t / t7030-verify-tag.shon commit Merge branch 'dt/unpack-save-untracked-cache-extension' (fa0624f)
   1#!/bin/sh
   2
   3test_description='signed tag tests'
   4. ./test-lib.sh
   5. "$TEST_DIRECTORY/lib-gpg.sh"
   6
   7test_expect_success GPG 'create signed tags' '
   8        echo 1 >file && git add file &&
   9        test_tick && git commit -m initial &&
  10        git tag -s -m initial initial &&
  11        git branch side &&
  12
  13        echo 2 >file && test_tick && git commit -a -m second &&
  14        git tag -s -m second second &&
  15
  16        git checkout side &&
  17        echo 3 >elif && git add elif &&
  18        test_tick && git commit -m "third on side" &&
  19
  20        git checkout master &&
  21        test_tick && git merge -S side &&
  22        git tag -s -m merge merge &&
  23
  24        echo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" &&
  25        git tag -a -m fourth-unsigned fourth-unsigned &&
  26
  27        test_tick && git commit --amend -S -m "fourth signed" &&
  28        git tag -s -m fourth fourth-signed &&
  29
  30        echo 5 >file && test_tick && git commit -a -m "fifth" &&
  31        git tag fifth-unsigned &&
  32
  33        git config commit.gpgsign true &&
  34        echo 6 >file && test_tick && git commit -a -m "sixth" &&
  35        git tag -a -m sixth sixth-unsigned &&
  36
  37        test_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ &&
  38        git tag -m seventh -s seventh-signed &&
  39
  40        echo 8 >file && test_tick && git commit -a -m eighth &&
  41        git tag -uB7227189 -m eighth eighth-signed-alt
  42'
  43
  44test_expect_success GPG 'verify and show signatures' '
  45        (
  46                for tag in initial second merge fourth-signed sixth-signed seventh-signed
  47                do
  48                        git verify-tag $tag 2>actual &&
  49                        grep "Good signature from" actual &&
  50                        ! grep "BAD signature from" actual &&
  51                        echo $tag OK || exit 1
  52                done
  53        ) &&
  54        (
  55                for tag in fourth-unsigned fifth-unsigned sixth-unsigned
  56                do
  57                        test_must_fail git verify-tag $tag 2>actual &&
  58                        ! grep "Good signature from" actual &&
  59                        ! grep "BAD signature from" actual &&
  60                        echo $tag OK || exit 1
  61                done
  62        ) &&
  63        (
  64                for tag in eighth-signed-alt
  65                do
  66                        git verify-tag $tag 2>actual &&
  67                        grep "Good signature from" actual &&
  68                        ! grep "BAD signature from" actual &&
  69                        grep "not certified" actual &&
  70                        echo $tag OK || exit 1
  71                done
  72        )
  73'
  74
  75test_expect_success GPG 'detect fudged signature' '
  76        git cat-file tag seventh-signed >raw &&
  77        sed -e "s/seventh/7th forged/" raw >forged1 &&
  78        git hash-object -w -t tag forged1 >forged1.tag &&
  79        test_must_fail git verify-tag $(cat forged1.tag) 2>actual1 &&
  80        grep "BAD signature from" actual1 &&
  81        ! grep "Good signature from" actual1
  82'
  83
  84test_expect_success GPG 'verify signatures with --raw' '
  85        (
  86                for tag in initial second merge fourth-signed sixth-signed seventh-signed
  87                do
  88                        git verify-tag --raw $tag 2>actual &&
  89                        grep "GOODSIG" actual &&
  90                        ! grep "BADSIG" actual &&
  91                        echo $tag OK || exit 1
  92                done
  93        ) &&
  94        (
  95                for tag in fourth-unsigned fifth-unsigned sixth-unsigned
  96                do
  97                        test_must_fail git verify-tag --raw $tag 2>actual &&
  98                        ! grep "GOODSIG" actual &&
  99                        ! grep "BADSIG" actual &&
 100                        echo $tag OK || exit 1
 101                done
 102        ) &&
 103        (
 104                for tag in eighth-signed-alt
 105                do
 106                        git verify-tag --raw $tag 2>actual &&
 107                        grep "GOODSIG" actual &&
 108                        ! grep "BADSIG" actual &&
 109                        grep "TRUST_UNDEFINED" actual &&
 110                        echo $tag OK || exit 1
 111                done
 112        )
 113'
 114
 115test_expect_success GPG 'verify multiple tags' '
 116        tags="fourth-signed sixth-signed seventh-signed" &&
 117        for i in $tags
 118        do
 119                git verify-tag -v --raw $i || return 1
 120        done >expect.stdout 2>expect.stderr.1 &&
 121        grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
 122        git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
 123        grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
 124        test_cmp expect.stdout actual.stdout &&
 125        test_cmp expect.stderr actual.stderr
 126'
 127
 128test_expect_success GPG 'verifying tag with --format' '
 129        cat >expect <<-\EOF &&
 130        tagname : fourth-signed
 131        EOF
 132        git verify-tag --format="tagname : %(tag)" "fourth-signed" >actual &&
 133        test_cmp expect actual
 134'
 135
 136test_expect_success GPG 'verifying a forged tag with --format should fail silently' '
 137        >expect &&
 138        test_must_fail git verify-tag --format="tagname : %(tag)" $(cat forged1.tag) >actual-forged &&
 139        test_cmp expect actual-forged
 140'
 141
 142test_done