Merge branch 'jk/verify-sig-merge-into-void'
authorJunio C Hamano <gitster@pobox.com>
Sun, 18 Nov 2018 09:23:54 +0000 (18:23 +0900)
committerJunio C Hamano <gitster@pobox.com>
Sun, 18 Nov 2018 09:23:54 +0000 (18:23 +0900)
"git merge" and "git pull" that merges into an unborn branch used
to completely ignore "--verify-signatures", which has been
corrected.

* jk/verify-sig-merge-into-void:
pull: handle --verify-signatures for unborn branch
merge: handle --verify-signatures for unborn branch
merge: extract verify_merge_signature() helper

builtin/merge.c
builtin/pull.c
commit.c
commit.h
t/t5573-pull-verify-signatures.sh
t/t7612-merge-verify-signatures.sh
index adb0402e847a50bc9e9be69e2257b1b555a780ec..c3c976d471ce78268e673a5135a4c37ebc6d0f6d 100644 (file)
@@ -1337,6 +1337,10 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
                        die(_("%s - not something we can merge"), argv[0]);
                if (remoteheads->next)
                        die(_("Can merge only exactly one commit into empty head"));
+
+               if (verify_signatures)
+                       verify_merge_signature(remoteheads->item, verbosity);
+
                remote_head_oid = &remoteheads->item->object.oid;
                read_empty(remote_head_oid, 0);
                update_ref("initial pull", "HEAD", remote_head_oid, NULL, 0,
@@ -1358,31 +1362,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 
        if (verify_signatures) {
                for (p = remoteheads; p; p = p->next) {
-                       struct commit *commit = p->item;
-                       char hex[GIT_MAX_HEXSZ + 1];
-                       struct signature_check signature_check;
-                       memset(&signature_check, 0, sizeof(signature_check));
-
-                       check_commit_signature(commit, &signature_check);
-
-                       find_unique_abbrev_r(hex, &commit->object.oid, DEFAULT_ABBREV);
-                       switch (signature_check.result) {
-                       case 'G':
-                               break;
-                       case 'U':
-                               die(_("Commit %s has an untrusted GPG signature, "
-                                     "allegedly by %s."), hex, signature_check.signer);
-                       case 'B':
-                               die(_("Commit %s has a bad GPG signature "
-                                     "allegedly by %s."), hex, signature_check.signer);
-                       default: /* 'N' */
-                               die(_("Commit %s does not have a GPG signature."), hex);
-                       }
-                       if (verbosity >= 0 && signature_check.result == 'G')
-                               printf(_("Commit %s has a good GPG signature by %s\n"),
-                                      hex, signature_check.signer);
-
-                       signature_check_clear(&signature_check);
+                       verify_merge_signature(p->item, verbosity);
                }
        }
 
index c21aa276f1e93ef2593397d5304e72d59e6914b0..1b90622b1311187612ef8b33995c92a6802eb343 100644 (file)
@@ -557,6 +557,17 @@ static int run_fetch(const char *repo, const char **refspecs)
 static int pull_into_void(const struct object_id *merge_head,
                const struct object_id *curr_head)
 {
+       if (opt_verify_signatures) {
+               struct commit *commit;
+
+               commit = lookup_commit(the_repository, merge_head);
+               if (!commit)
+                       die(_("unable to access commit %s"),
+                           oid_to_hex(merge_head));
+
+               verify_merge_signature(commit, opt_verbosity);
+       }
+
        /*
         * Two-way merge: we treat the index as based on an empty tree,
         * and try to fast-forward to HEAD. This ensures we will not lose
index bee7b7b62ef9ce61393c8657203fef71e5822225..d13a7bc3746406bdaf0bda0975c25b40111afe47 100644 (file)
--- a/commit.c
+++ b/commit.c
@@ -1099,7 +1099,33 @@ int check_commit_signature(const struct commit *commit, struct signature_check *
        return ret;
 }
 
+void verify_merge_signature(struct commit *commit, int verbosity)
+{
+       char hex[GIT_MAX_HEXSZ + 1];
+       struct signature_check signature_check;
+       memset(&signature_check, 0, sizeof(signature_check));
+
+       check_commit_signature(commit, &signature_check);
+
+       find_unique_abbrev_r(hex, &commit->object.oid, DEFAULT_ABBREV);
+       switch (signature_check.result) {
+       case 'G':
+               break;
+       case 'U':
+               die(_("Commit %s has an untrusted GPG signature, "
+                     "allegedly by %s."), hex, signature_check.signer);
+       case 'B':
+               die(_("Commit %s has a bad GPG signature "
+                     "allegedly by %s."), hex, signature_check.signer);
+       default: /* 'N' */
+               die(_("Commit %s does not have a GPG signature."), hex);
+       }
+       if (verbosity >= 0 && signature_check.result == 'G')
+               printf(_("Commit %s has a good GPG signature by %s\n"),
+                      hex, signature_check.signer);
 
+       signature_check_clear(&signature_check);
+}
 
 void append_merge_tag_headers(struct commit_list *parents,
                              struct commit_extra_header ***tail)
index 03ab19508f222a4a9cdfc12e9850eb9e07787230..98664536cb82c65f04a1742c3e5c1e269afc9493 100644 (file)
--- a/commit.h
+++ b/commit.h
@@ -340,6 +340,14 @@ void record_author_date(struct author_date_slab *author_date,
                        struct commit *commit);
 
 int compare_commits_by_author_date(const void *a_, const void *b_, void *unused);
+
+/*
+ * Verify a single commit with check_commit_signature() and die() if it is not
+ * a good signature. This isn't really suitable for general use, but is a
+ * helper to implement consistent logic for pull/merge --verify-signatures.
+ */
+void verify_merge_signature(struct commit *commit, int verbose);
+
 int compare_commits_by_commit_date(const void *a_, const void *b_, void *unused);
 int compare_commits_by_gen_then_commit_date(const void *a_, const void *b_, void *unused);
 
index 747775c147612f3b09a599661fe3dc7d3b1d34bd..3e9876e1971348daad7fd87f8aa107ea5fd6aaff 100755 (executable)
@@ -78,4 +78,11 @@ test_expect_success GPG 'pull commit with bad signature with --no-verify-signatu
        git pull --ff-only --no-verify-signatures bad 2>pullerror
 '
 
+test_expect_success GPG 'pull unsigned commit into unborn branch' '
+       git init empty-repo &&
+       test_must_fail \
+               git -C empty-repo pull --verify-signatures ..  2>pullerror &&
+       test_i18ngrep "does not have a GPG signature" pullerror
+'
+
 test_done
index e2b1df817a50a48132964124d359c7dc29a89e23..d99218a725c5956d75e32684b196bdc050a0e8b1 100755 (executable)
@@ -103,4 +103,11 @@ test_expect_success GPG 'merge commit with bad signature with merge.verifySignat
        git merge --no-verify-signatures $(cat forged.commit)
 '
 
+test_expect_success GPG 'merge unsigned commit into unborn branch' '
+       test_when_finished "git checkout initial" &&
+       git checkout --orphan unborn &&
+       test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
+       test_i18ngrep "does not have a GPG signature" mergeerror
+'
+
 test_done