From eb307ae7bb78ccde4e2ac69f302ccf8834883628 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Sebastian=20G=C3=B6tte?= Date: Sun, 31 Mar 2013 18:02:46 +0200 Subject: [PATCH] merge/pull Check for untrusted good GPG signatures MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When --verify-signatures is specified, abort the merge in case a good GPG signature from an untrusted key is encountered. Signed-off-by: Sebastian Götte Signed-off-by: Junio C Hamano --- Documentation/merge-options.txt | 4 ++-- builtin/merge.c | 3 +++ commit.c | 14 +++++++++----- commit.h | 10 +++++----- gpg-interface.h | 1 + t/lib-gpg/pubring.gpg | Bin 1164 -> 2359 bytes t/lib-gpg/random_seed | Bin 600 -> 600 bytes t/lib-gpg/secring.gpg | Bin 1237 -> 3734 bytes t/lib-gpg/trustdb.gpg | Bin 1280 -> 1360 bytes t/t7612-merge-verify-signatures.sh | 9 +++++++++ 10 files changed, 29 insertions(+), 12 deletions(-) diff --git a/Documentation/merge-options.txt b/Documentation/merge-options.txt index 31f1067521..a0f022b41d 100644 --- a/Documentation/merge-options.txt +++ b/Documentation/merge-options.txt @@ -85,8 +85,8 @@ option can be used to override --squash. --verify-signatures:: --no-verify-signatures:: - Verify that the commits being merged have good GPG signatures and abort the - merge in case they do not. + Verify that the commits being merged have good and trusted GPG signatures + and abort the merge in case they do not. --summary:: --no-summary:: diff --git a/builtin/merge.c b/builtin/merge.c index e57c42c622..bac11d1605 100644 --- a/builtin/merge.c +++ b/builtin/merge.c @@ -1248,6 +1248,9 @@ int cmd_merge(int argc, const char **argv, const char *prefix) switch (signature_check.result) { case 'G': break; + case 'U': + die(_("Commit %s has an untrusted GPG signature, " + "allegedly by %s."), hex, signature_check.signer); case 'B': die(_("Commit %s has a bad GPG signature " "allegedly by %s."), hex, signature_check.signer); diff --git a/commit.c b/commit.c index 94029c9496..516a4ff7d2 100644 --- a/commit.c +++ b/commit.c @@ -1047,6 +1047,8 @@ static struct { } sigcheck_gpg_status[] = { { 'G', "\n[GNUPG:] GOODSIG " }, { 'B', "\n[GNUPG:] BADSIG " }, + { 'U', "\n[GNUPG:] TRUST_NEVER" }, + { 'U', "\n[GNUPG:] TRUST_UNDEFINED" }, }; static void parse_gpg_output(struct signature_check *sigc) @@ -1068,11 +1070,13 @@ static void parse_gpg_output(struct signature_check *sigc) found += strlen(sigcheck_gpg_status[i].check); } sigc->result = sigcheck_gpg_status[i].result; - sigc->key = xmemdupz(found, 16); - found += 17; - next = strchrnul(found, '\n'); - sigc->signer = xmemdupz(found, next - found); - break; + /* The trust messages are not followed by key/signer information */ + if (sigc->result != 'U') { + sigc->key = xmemdupz(found, 16); + found += 17; + next = strchrnul(found, '\n'); + sigc->signer = xmemdupz(found, next - found); + } } } diff --git a/commit.h b/commit.h index c24b844ad6..87b4b6cc0c 100644 --- a/commit.h +++ b/commit.h @@ -234,11 +234,11 @@ extern void print_commit_list(struct commit_list *list, const char *format_last); /* - * Check the signature of the given commit. The result of the check is stored in - * sig->result, 'G' for a good signature, 'B' for a bad signature and 'N' - * for no signature at all. - * This may allocate memory for sig->gpg_output, sig->gpg_status, sig->signer - * and sig->key. + * Check the signature of the given commit. The result of the check is stored + * in sig->check_result, 'G' for a good signature, 'U' for a good signature + * from an untrusted signer, 'B' for a bad signature and 'N' for no signature + * at all. This may allocate memory for sig->gpg_output, sig->gpg_status, + * sig->signer and sig->key. */ extern void check_commit_signature(const struct commit* commit, struct signature_check *sigc); diff --git a/gpg-interface.h b/gpg-interface.h index 5884aa4052..a85cb5bc97 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -6,6 +6,7 @@ struct signature_check { char *gpg_status; char result; /* 0 (not checked), * N (checked but no further result), + * U (untrusted good), * G (good) * B (bad) */ char *signer; diff --git a/t/lib-gpg/pubring.gpg b/t/lib-gpg/pubring.gpg index 83855fa4e1c6c37afe550c17afa1e7971042ded5..1a3c2d487c2fda9169751a3068fa51e853a1e519 100644 GIT binary patch delta 1212 zcmeC-+%B}ChoycdBQHy!&op;N4u+H6f6^J^jg;&7IqpOEarOOv#j)5P>YG=^^Uj&r8*<#UPrKxh(29kDi_NC*K7G7Gq*$q5Fn#9+r>aRaqy1iJ z{Cqvf>8fw2P+*YV%a=7Ok)4V;g*ulW)`|q##OgmdaNQ>Ue~0R#6eBzJDDS;|p@09~ z*!r7UGFHR3ZC9^m=zbGX$ zQNbn!!gNTjNX#wBN!80sEwSrlv|tftWMWWaWda2slQc6MHzx->GZULA2NNe3H;Wh( zGb586Ba?Uo0~e=2BBx&KcBR73h{f!`*`NOtG3O5bV-s(;2yN=VYtZ8-u4^>)u}DYCQdF za;xHu>J!fREU&e0N`tY}p@5&~g527Vq%ci>$hM7NfBB}R%}W}sKQ4;B z82M!KRV(?_JO=42757gV)pLKe+gJ9ie>IEU>ENbvuFIQi%~C?=MOJ%F=A4nsXC_@T zGq7ytM|r-jTRsKtxGl0`rFD;fJV#OA+tjaT95!v2dM$Q|V*?Wd^GWKCw-ER)*eoDgCBamT~C%a^1TSj1XnUlm?l`-7+L>^r{+^K!4& zP1(|dWxmz#4BiyjH$xnIAXQOMJKf0K)l^!7_X8=k#v;A0P5Rlj&~wY8tN z!{aNTiy2ncXxx}`?vMH0%T`k5t{L}((6DG_o+?1w)%4W`_CD(0y!oN{fV%yk^I25Xj#I_=cj)#w9MId zpniLJ-rc{fo53lslTn^Uf{}@V6PBiUkdw}vLJo$bPYnObSY|F~di}mobGz202W?Lm zO}<`KSDTakiS6m?42|`hmZjGF1*96zYIU~mSC}IFG3fSeY40f(p3;8YIel|JuJK40 z?n_zp=~>BTZ{4bM^|x9o_3m|kJZ(F}G$61@z)9e0=@yO)2dbWSwcllNvswB;!`iNN zQu;-u-xj}A?EDLFY-gDfu=r}9&Qlk4XZM+Jgp*d!s^K~5EeTUjYwIu4(0K5qWM{ctANTVe8IB5d!u}j5rT18K_FVxb9RQxFB%lBQ delta 7 Ocmdlk)Wf-s4hIyNV1tzPbxIbtS}RWTt-OFy9~UU^%gL_R*-XH+&B6Dl8UA zaGWc)qUnp7{KU79SJ}+?^0HUv)br9p_IQK*J|?Y>jT%oUR4Pwi`y*G$#F@n+LSu4O zu+WP1Dfv&r_zY(2toyAVB&u>&p?;odQrRV)MN_BVd0GDMh_snU;Pm&!ys0*#LH7@Q z-Fa<}j_-?$``hAYU0C5>&9t}w|J0(lY2HTjTFf+0Xw>Jvj#*T%Ge^!&{>dF53Bz-@ z8U4?=j$?I;%F?HMDXPOmLznLi=ww_@8A#2zg|t}UfoFf z^=aP;YWd7}q^?9Nx zt9PHthdJV*bIBE7(a@atfp=wtwiXElEWDT9>&apH_4545EPbIbq{HKqFt53duJHkz&W z;oXth49DuX@|xLu?0NRgpm$Ax&Pl(g+}bDW?@WzeczWM%vzaOKu1_UvW^vy(&ahJU zy|TT0rbMlYe6Q>=iI7#*1wC~~-rSNhE!}B#i(kW(W3hFu$}L~+?27(V2cjl-8hYPU Na$frX*zdBXO#mb^CV>C| literal 600 zcmey~roy%VW$NUf6$e|M>$rM84`g=uCb+of&Yg-C+xP0_C`9`1PF-pHahu(y3H$dy zb$j@#UDNhm##`r>lGjtWoOo}k@bumcFX6A3wkoXjV1LrIS8<9)$ddz4b>H5%{qpNv z>WwQk{EiVHRF^#S)}HdF>*4FBpUZ?K^LyURO^|wU@lod|n_CR`t7ZI_`K^55d0$_2 zzsoD-Id?scrf{{-%@HeEyxq+;_FPMK-i8D*xkm;!9||VE{eHYPku{Ogx=Mj*y_Q{8 zlW%WW($nhwi=DI*#P`?RXH=^mdLeDaKj|)xrg^HsYU(JjkyhI_NIGRWcv4WFWWo2zAV0=@KfLGn^5raxgA;GLXPC$DOT@lE7^Ya z;@&N@JJ;O0m-#@%N$;NzKhN0%Rd(-XTW@{e6Lk2hudZ?8%Qjuc`Fi(H?YY<&zk#^hnLT(`M>J)T~^d^-35 diff --git a/t/lib-gpg/secring.gpg b/t/lib-gpg/secring.gpg index d831cd9eb3eee613d3c0e1a71093ae01ea7347e3..82dca8f80bf170fde5705862c3eeb9d994725042 100644 GIT binary patch delta 2524 zcmcc0IZbxMRhIgx%rjU5eWtlHaxk3i{*%rSZ=_tuFQ*yAx!F4Ga;tUR3z3tWyW17a zQ#9=!TN*}uD*E+VQ$sH$`aFlx=L$y8=;;0<`-Ef{UYexMv?d~{r|z6;I-kwuOCmaY zzcddl;MSMRQ{TKQo_Ef~-jL&-ecC05gjOsJTx>Rd_vzymBE?Geg6TUqI8{xW8SVE% z^=U->64k0`R1Y$jj?h_3BDo!6TEb#>xS20=y!Mh5mj++A;O{aYx%KVW|U z#(+~7#FyJfEMV6zIREpm`9vqF+k4vQJ)P{}uM^NpV_z1}*3?SjLMXQ5ZbeO8`Q-@5Ewvqfu%@5X>G({j7(?;L8(*qS?U)-T-q zYt;(&t>+uo-mDD$s_^b%UFEFj9%q*KPT+0QO>BPqkp8>*MPcd2!Jp7mxA>!gsJ z7jqrT6@4q-JAd;q5-m2np6IlHj!E0`Ws#TbncjV!&UDiG{n0?9NiWLmTgBwU_RT4} z$ii?&clDh*YbNCh6N8TDt?fz>K4zZdc872FXQp?_{u91En|s5?xY@GcJHwK<_NG3J zqPhD|7fjs2a58NL@9UH253ilovSDM!U9moiea8&GnN}zMJ$BgOd*a&2xw+p|Q?y?m z{j>7W7N(c=4E$RqC&nxcPHNmEYqtHQm&~?H1*Ml0qgJ10VfeE-B%ZUqPk+~7%)^-!Ilrc3HAn;&l2y{%coG z?AR}M_O%=Px8}lxqfN&rF>tdm?0Hr{@9(mkK{IUHT$m=TdiHOYo#-7`$t$UDg&!h5 zuQ6wx>b!AD64!O!KL4i${}|Fkqw{+w8n1ZrspyTsm6&(iza3q7)Aq0Mt2)=0`RgZd zWP86PLriGumbCPSq(wZbQTyv9%|-1$)t~fQYx^Nd<;z_)=bdvkqkig%DY*%&uVK&^ zbGO@~;#!nhtl*MaoSa{jl9{MrlLBEnq*f&67UZPr<)xO`buwD82s1J|tX$DJftjbDHHrlrkG8m&JrimksG`DF4{EBVws2I(sm_fHscf3(|I_N;$3i{0tqrgE;! zn``6OSg+rH_u4+T{E#-6iY2h=KVbLQ&JomRV3VC|(Z*mcm-hSz4 z!?TwSeC&a%>K8Arw)WF@czoq^F~h1FjT=+W{V|_=*-EP1HRFD8+T_MMt&c3v)89&z z-F>gs5s=ilJ!PH`N6mA$Il7M{?Vpw=Z(GZv_4~i&KDCM0R$p#^|2bn;Ajf2(KM~gT zHIg5=7A;Fy`TX<`hL$cBqpRN9jHJPr5|NZ*LX#dHG0$HuAhBZ+_I=?b^Iod+tQa`SsviD zTBXldU(V=x!hF@QFp&o;KD-yJ-!$5~m&sJtM#NvXUAu(EVDe2ChNFifD;?GaF+AYX zc_qaDM%!{%xgOh}N3qdfduQLukz4RJHtFu$Nk<+(pX?oOIO$T7-0IiD zmHvF+)%@q#AJu^Vn);Id?1fERtR^j!?(h|xt~%}bZQ zf8spzZx)#ktvMUoEEVcxnZ1tx3#(t6DO&$yfpD~<$Bf0|g3~=-Cfc1Y_PJerWQE*~ zWZSO`$XOUoJV&H_8aXiRH z*_%QRhNDjm|H)WpE@yiEzEE?!)}#k*PZv$TUQ}0`ll+P8>FNxP^_!NZ*82sd8qR8U zw(eJ$QZM{5==N-B?} zut>m3;A-g>jtd8>o_4k0WpT4v`ar|lu5?oRMWx>szf|n}3vX;^nGvw~YM;(i7j+?UX2{TjsD*U$l>2Gdc#k9419vVyQJ!g5k`(vu%Iq5A4Q%-B^FVfI>@T6pCxm+Lj X^BozE3U$K%94DpsSabGW0hMF`DL$*` delta 7 OcmbOxdzEv;RTcmY+5;N^ diff --git a/t/lib-gpg/trustdb.gpg b/t/lib-gpg/trustdb.gpg index abace962b8bf84be688a6f27e4ebd0ee7052f210..4879ae9a84650a93a4d15bd6560c5d1b89eb4c2f 100644 GIT binary patch delta 133 zcmZqRy1*sEm|l?1%*@Ej$i%=9=re5@0|Nu&L_y(=>YJDu6*k{umSl`&Kn6SvSN16x zN?jI~i@T+{B#~3Eb-PkwCo@EeB7_2wybMdTjEeXLLrOJUgG}yTes6vJW7bzTkQ53A E04}5(2LJ#7 delta 52 zcmcb>)xagdm|l?1%*@Ej$iTqhmVVlAqM`Uk^-atZ9rz~(oS3|U#hLd&3forged.commit && git checkout initial && + git checkout -b side-untrusted && + echo 3 >baz && git add baz && + test_tick && git commit -SB7227189 -m "untrusted on side" + git checkout master ' @@ -40,6 +44,11 @@ test_expect_success GPG 'merge commit with bad signature with verification' ' test_i18ngrep "has a bad GPG signature" mergeerror ' +test_expect_success GPG 'merge commit with untrusted signature with verification' ' + test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror && + test_i18ngrep "has an untrusted GPG signature" mergeerror +' + test_expect_success GPG 'merge signed commit with verification' ' git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput && test_i18ngrep "has a good GPG signature" mergeoutput -- 2.52.0