mirror of
https://github.com/git/git
synced 2024-09-13 05:14:36 +00:00
verify-tag: add option to print raw gpg status information
verify-tag by default displays human-readable output on standard error. However, it can also be useful to get access to the raw gpg status information, which is machine-readable, allowing automated implementation of signing policy. Add a --raw option to make verify-tag produce the gpg status information on standard error instead of the human-readable format. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
aeff29dd4d
commit
e18443ece7
|
@ -16,6 +16,10 @@ Validates the gpg signature created by 'git tag'.
|
||||||
|
|
||||||
OPTIONS
|
OPTIONS
|
||||||
-------
|
-------
|
||||||
|
--raw::
|
||||||
|
Print the raw gpg status output to standard error instead of the normal
|
||||||
|
human-readable output.
|
||||||
|
|
||||||
-v::
|
-v::
|
||||||
--verbose::
|
--verbose::
|
||||||
Print the contents of the tag object before validating it.
|
Print the contents of the tag object before validating it.
|
||||||
|
|
|
@ -18,7 +18,7 @@ static const char * const verify_tag_usage[] = {
|
||||||
NULL
|
NULL
|
||||||
};
|
};
|
||||||
|
|
||||||
static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
|
static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
|
||||||
{
|
{
|
||||||
struct signature_check sigc;
|
struct signature_check sigc;
|
||||||
int len;
|
int len;
|
||||||
|
@ -29,19 +29,19 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
|
||||||
len = parse_signature(buf, size);
|
len = parse_signature(buf, size);
|
||||||
|
|
||||||
if (size == len) {
|
if (size == len) {
|
||||||
if (verbose)
|
if (flags & GPG_VERIFY_VERBOSE)
|
||||||
write_in_full(1, buf, len);
|
write_in_full(1, buf, len);
|
||||||
return error("no signature found");
|
return error("no signature found");
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = check_signature(buf, len, buf + len, size - len, &sigc);
|
ret = check_signature(buf, len, buf + len, size - len, &sigc);
|
||||||
print_signature_buffer(&sigc, verbose ? GPG_VERIFY_VERBOSE : 0);
|
print_signature_buffer(&sigc, flags);
|
||||||
|
|
||||||
signature_check_clear(&sigc);
|
signature_check_clear(&sigc);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int verify_tag(const char *name, int verbose)
|
static int verify_tag(const char *name, unsigned flags)
|
||||||
{
|
{
|
||||||
enum object_type type;
|
enum object_type type;
|
||||||
unsigned char sha1[20];
|
unsigned char sha1[20];
|
||||||
|
@ -61,7 +61,7 @@ static int verify_tag(const char *name, int verbose)
|
||||||
if (!buf)
|
if (!buf)
|
||||||
return error("%s: unable to read file.", name);
|
return error("%s: unable to read file.", name);
|
||||||
|
|
||||||
ret = run_gpg_verify(buf, size, verbose);
|
ret = run_gpg_verify(buf, size, flags);
|
||||||
|
|
||||||
free(buf);
|
free(buf);
|
||||||
return ret;
|
return ret;
|
||||||
|
@ -78,8 +78,10 @@ static int git_verify_tag_config(const char *var, const char *value, void *cb)
|
||||||
int cmd_verify_tag(int argc, const char **argv, const char *prefix)
|
int cmd_verify_tag(int argc, const char **argv, const char *prefix)
|
||||||
{
|
{
|
||||||
int i = 1, verbose = 0, had_error = 0;
|
int i = 1, verbose = 0, had_error = 0;
|
||||||
|
unsigned flags = 0;
|
||||||
const struct option verify_tag_options[] = {
|
const struct option verify_tag_options[] = {
|
||||||
OPT__VERBOSE(&verbose, N_("print tag contents")),
|
OPT__VERBOSE(&verbose, N_("print tag contents")),
|
||||||
|
OPT_BIT(0, "raw", &flags, N_("print raw gpg status output"), GPG_VERIFY_RAW),
|
||||||
OPT_END()
|
OPT_END()
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -90,11 +92,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
|
||||||
if (argc <= i)
|
if (argc <= i)
|
||||||
usage_with_options(verify_tag_usage, verify_tag_options);
|
usage_with_options(verify_tag_usage, verify_tag_options);
|
||||||
|
|
||||||
|
if (verbose)
|
||||||
|
flags |= GPG_VERIFY_VERBOSE;
|
||||||
|
|
||||||
/* sometimes the program was terminated because this signal
|
/* sometimes the program was terminated because this signal
|
||||||
* was received in the process of writing the gpg input: */
|
* was received in the process of writing the gpg input: */
|
||||||
signal(SIGPIPE, SIG_IGN);
|
signal(SIGPIPE, SIG_IGN);
|
||||||
while (i < argc)
|
while (i < argc)
|
||||||
if (verify_tag(argv[i++], verbose))
|
if (verify_tag(argv[i++], flags))
|
||||||
had_error = 1;
|
had_error = 1;
|
||||||
return had_error;
|
return had_error;
|
||||||
}
|
}
|
||||||
|
|
|
@ -81,4 +81,35 @@ test_expect_success GPG 'detect fudged signature' '
|
||||||
! grep "Good signature from" actual1
|
! grep "Good signature from" actual1
|
||||||
'
|
'
|
||||||
|
|
||||||
|
test_expect_success GPG 'verify signatures with --raw' '
|
||||||
|
(
|
||||||
|
for tag in initial second merge fourth-signed sixth-signed seventh-signed
|
||||||
|
do
|
||||||
|
git verify-tag --raw $tag 2>actual &&
|
||||||
|
grep "GOODSIG" actual &&
|
||||||
|
! grep "BADSIG" actual &&
|
||||||
|
echo $tag OK || exit 1
|
||||||
|
done
|
||||||
|
) &&
|
||||||
|
(
|
||||||
|
for tag in fourth-unsigned fifth-unsigned sixth-unsigned
|
||||||
|
do
|
||||||
|
test_must_fail git verify-tag --raw $tag 2>actual &&
|
||||||
|
! grep "GOODSIG" actual &&
|
||||||
|
! grep "BADSIG" actual &&
|
||||||
|
echo $tag OK || exit 1
|
||||||
|
done
|
||||||
|
) &&
|
||||||
|
(
|
||||||
|
for tag in eighth-signed-alt
|
||||||
|
do
|
||||||
|
git verify-tag --raw $tag 2>actual &&
|
||||||
|
grep "GOODSIG" actual &&
|
||||||
|
! grep "BADSIG" actual &&
|
||||||
|
grep "TRUST_UNDEFINED" actual &&
|
||||||
|
echo $tag OK || exit 1
|
||||||
|
done
|
||||||
|
)
|
||||||
|
'
|
||||||
|
|
||||||
test_done
|
test_done
|
||||||
|
|
Loading…
Reference in a new issue