From 0b11a84e1ba26fa3c9995f19e224848d8afc9bcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Date: Mon, 22 Oct 2018 18:38:19 +0200 Subject: [PATCH 1/3] gpg-interface.c: use flags to determine key/signer info presence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the logic used to determine whether key and signer information is present to use explicit flags in sigcheck_gpg_status[] array. This is more future-proof, since it makes it possible to add additional statuses without having to explicitly update the conditions. Signed-off-by: Michał Górny Signed-off-by: Junio C Hamano --- gpg-interface.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/gpg-interface.c b/gpg-interface.c index efe2c0d386..71618d86b9 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -77,20 +77,27 @@ void signature_check_clear(struct signature_check *sigc) /* An exclusive status -- only one of them can appear in output */ #define GPG_STATUS_EXCLUSIVE (1<<0) +/* The status includes key identifier */ +#define GPG_STATUS_KEYID (1<<1) +/* The status includes user identifier */ +#define GPG_STATUS_UID (1<<2) + +/* Short-hand for standard exclusive *SIG status with keyid & UID */ +#define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID) static struct { char result; const char *check; unsigned int flags; } sigcheck_gpg_status[] = { - { 'G', "GOODSIG ", GPG_STATUS_EXCLUSIVE }, - { 'B', "BADSIG ", GPG_STATUS_EXCLUSIVE }, + { 'G', "GOODSIG ", GPG_STATUS_STDSIG }, + { 'B', "BADSIG ", GPG_STATUS_STDSIG }, { 'U', "TRUST_NEVER", 0 }, { 'U', "TRUST_UNDEFINED", 0 }, - { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE }, - { 'X', "EXPSIG ", GPG_STATUS_EXCLUSIVE }, - { 'Y', "EXPKEYSIG ", GPG_STATUS_EXCLUSIVE }, - { 'R', "REVKEYSIG ", GPG_STATUS_EXCLUSIVE }, + { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID }, + { 'X', "EXPSIG ", GPG_STATUS_STDSIG }, + { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG }, + { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG }, }; static void parse_gpg_output(struct signature_check *sigc) @@ -117,13 +124,13 @@ static void parse_gpg_output(struct signature_check *sigc) } sigc->result = sigcheck_gpg_status[i].result; - /* The trust messages are not followed by key/signer information */ - if (sigc->result != 'U') { + /* Do we have key information? */ + if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) { next = strchrnul(line, ' '); free(sigc->key); sigc->key = xmemdupz(line, next - line); - /* The ERRSIG message is not followed by signer information */ - if (*next && sigc->result != 'E') { + /* Do we have signer information? */ + if (*next && (sigcheck_gpg_status[i].flags & GPG_STATUS_UID)) { line = next + 1; next = strchrnul(line, '\n'); free(sigc->signer); From 3daaaabe7ed22c17bff04d19c711be427bd2e225 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Date: Mon, 22 Oct 2018 18:38:20 +0200 Subject: [PATCH 2/3] gpg-interface.c: support getting key fingerprint via %GF format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Support processing VALIDSIG status that provides additional information for valid signatures. Use this information to propagate signing key fingerprint and expose it via %GF pretty format. This format can be used to build safer key verification systems that verify the key via complete fingerprint rather than short/long identifier provided by %GK. Signed-off-by: Michał Górny Signed-off-by: Junio C Hamano --- Documentation/pretty-formats.txt | 1 + gpg-interface.c | 14 +++++++++++++- gpg-interface.h | 1 + pretty.c | 4 ++++ t/t7510-signed-commit.sh | 18 ++++++++++++------ 5 files changed, 31 insertions(+), 7 deletions(-) diff --git a/Documentation/pretty-formats.txt b/Documentation/pretty-formats.txt index 6109ef09aa..8ab7d6dd1d 100644 --- a/Documentation/pretty-formats.txt +++ b/Documentation/pretty-formats.txt @@ -153,6 +153,7 @@ endif::git-rev-list[] and "N" for no signature - '%GS': show the name of the signer for a signed commit - '%GK': show the key used to sign a signed commit +- '%GF': show the fingerprint of the key used to sign a signed commit - '%gD': reflog selector, e.g., `refs/stash@{1}` or `refs/stash@{2 minutes ago`}; the format follows the rules described for the `-g` option. The portion before the `@` is the refname as diff --git a/gpg-interface.c b/gpg-interface.c index 71618d86b9..1d33a7e9d4 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -73,6 +73,7 @@ void signature_check_clear(struct signature_check *sigc) FREE_AND_NULL(sigc->gpg_status); FREE_AND_NULL(sigc->signer); FREE_AND_NULL(sigc->key); + FREE_AND_NULL(sigc->fingerprint); } /* An exclusive status -- only one of them can appear in output */ @@ -81,6 +82,8 @@ void signature_check_clear(struct signature_check *sigc) #define GPG_STATUS_KEYID (1<<1) /* The status includes user identifier */ #define GPG_STATUS_UID (1<<2) +/* The status includes key fingerprints */ +#define GPG_STATUS_FINGERPRINT (1<<3) /* Short-hand for standard exclusive *SIG status with keyid & UID */ #define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID) @@ -98,6 +101,7 @@ static struct { { 'X', "EXPSIG ", GPG_STATUS_STDSIG }, { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG }, { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG }, + { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT }, }; static void parse_gpg_output(struct signature_check *sigc) @@ -123,7 +127,8 @@ static void parse_gpg_output(struct signature_check *sigc) goto found_duplicate_status; } - sigc->result = sigcheck_gpg_status[i].result; + if (sigcheck_gpg_status[i].result) + sigc->result = sigcheck_gpg_status[i].result; /* Do we have key information? */ if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) { next = strchrnul(line, ' '); @@ -137,6 +142,12 @@ static void parse_gpg_output(struct signature_check *sigc) sigc->signer = xmemdupz(line, next - line); } } + /* Do we have fingerprint? */ + if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) { + next = strchrnul(line, ' '); + free(sigc->fingerprint); + sigc->fingerprint = xmemdupz(line, next - line); + } break; } @@ -154,6 +165,7 @@ static void parse_gpg_output(struct signature_check *sigc) */ sigc->result = 'E'; /* Clear partial data to avoid confusion */ + FREE_AND_NULL(sigc->fingerprint); FREE_AND_NULL(sigc->signer); FREE_AND_NULL(sigc->key); } diff --git a/gpg-interface.h b/gpg-interface.h index acf50c4610..8ce614fc95 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -23,6 +23,7 @@ struct signature_check { char result; char *signer; char *key; + char *fingerprint; }; void signature_check_clear(struct signature_check *sigc); diff --git a/pretty.c b/pretty.c index 98cf5228f9..b9caa9bd2f 100644 --- a/pretty.c +++ b/pretty.c @@ -1256,6 +1256,10 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */ if (c->signature_check.key) strbuf_addstr(sb, c->signature_check.key); break; + case 'F': + if (c->signature_check.fingerprint) + strbuf_addstr(sb, c->signature_check.fingerprint); + break; default: return 0; } diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh index 180f0be914..19ccae2869 100755 --- a/t/t7510-signed-commit.sh +++ b/t/t7510-signed-commit.sh @@ -175,8 +175,9 @@ test_expect_success GPG 'show good signature with custom format' ' G 13B6F51ECDDE430D C O Mitter + 73D758744BE721698EC54E8713B6F51ECDDE430D EOF - git log -1 --format="%G?%n%GK%n%GS" sixth-signed >actual && + git log -1 --format="%G?%n%GK%n%GS%n%GF" sixth-signed >actual && test_cmp expect actual ' @@ -185,8 +186,9 @@ test_expect_success GPG 'show bad signature with custom format' ' B 13B6F51ECDDE430D C O Mitter + EOF - git log -1 --format="%G?%n%GK%n%GS" $(cat forged1.commit) >actual && + git log -1 --format="%G?%n%GK%n%GS%n%GF" $(cat forged1.commit) >actual && test_cmp expect actual ' @@ -195,8 +197,9 @@ test_expect_success GPG 'show untrusted signature with custom format' ' U 61092E85B7227189 Eris Discordia + D4BE22311AD3131E5EDA29A461092E85B7227189 EOF - git log -1 --format="%G?%n%GK%n%GS" eighth-signed-alt >actual && + git log -1 --format="%G?%n%GK%n%GS%n%GF" eighth-signed-alt >actual && test_cmp expect actual ' @@ -205,8 +208,9 @@ test_expect_success GPG 'show unknown signature with custom format' ' E 61092E85B7227189 + EOF - GNUPGHOME="$GNUPGHOME_NOT_USED" git log -1 --format="%G?%n%GK%n%GS" eighth-signed-alt >actual && + GNUPGHOME="$GNUPGHOME_NOT_USED" git log -1 --format="%G?%n%GK%n%GS%n%GF" eighth-signed-alt >actual && test_cmp expect actual ' @@ -215,8 +219,9 @@ test_expect_success GPG 'show lack of signature with custom format' ' N + EOF - git log -1 --format="%G?%n%GK%n%GS" seventh-unsigned >actual && + git log -1 --format="%G?%n%GK%n%GS%n%GF" seventh-unsigned >actual && test_cmp expect actual ' @@ -255,8 +260,9 @@ test_expect_success GPG 'show double signature with custom format' ' E + EOF - git log -1 --format="%G?%n%GK%n%GS" $(cat double-commit.commit) >actual && + git log -1 --format="%G?%n%GK%n%GS%n%GF" $(cat double-commit.commit) >actual && test_cmp expect actual ' From 4de9394dcb769394f490a0285015a1d26beb54d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= Date: Mon, 22 Oct 2018 18:38:21 +0200 Subject: [PATCH 3/3] gpg-interface.c: obtain primary key fingerprint as well MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Obtain the primary key fingerprint off VALIDSIG status message, and expose it via %GP format. Signed-off-by: Michał Górny Signed-off-by: Junio C Hamano --- Documentation/pretty-formats.txt | 2 ++ gpg-interface.c | 16 +++++++++++++++- gpg-interface.h | 1 + pretty.c | 4 ++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/Documentation/pretty-formats.txt b/Documentation/pretty-formats.txt index 8ab7d6dd1d..417b638cd8 100644 --- a/Documentation/pretty-formats.txt +++ b/Documentation/pretty-formats.txt @@ -154,6 +154,8 @@ endif::git-rev-list[] - '%GS': show the name of the signer for a signed commit - '%GK': show the key used to sign a signed commit - '%GF': show the fingerprint of the key used to sign a signed commit +- '%GP': show the fingerprint of the primary key whose subkey was used + to sign a signed commit - '%gD': reflog selector, e.g., `refs/stash@{1}` or `refs/stash@{2 minutes ago`}; the format follows the rules described for the `-g` option. The portion before the `@` is the refname as diff --git a/gpg-interface.c b/gpg-interface.c index 1d33a7e9d4..bea1aa2b5a 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -74,6 +74,7 @@ void signature_check_clear(struct signature_check *sigc) FREE_AND_NULL(sigc->signer); FREE_AND_NULL(sigc->key); FREE_AND_NULL(sigc->fingerprint); + FREE_AND_NULL(sigc->primary_key_fingerprint); } /* An exclusive status -- only one of them can appear in output */ @@ -108,7 +109,7 @@ static void parse_gpg_output(struct signature_check *sigc) { const char *buf = sigc->gpg_status; const char *line, *next; - int i; + int i, j; int seen_exclusive_status = 0; /* Iterate over all lines */ @@ -147,6 +148,18 @@ static void parse_gpg_output(struct signature_check *sigc) next = strchrnul(line, ' '); free(sigc->fingerprint); sigc->fingerprint = xmemdupz(line, next - line); + + /* Skip interim fields */ + for (j = 9; j > 0; j--) { + if (!*next) + break; + line = next + 1; + next = strchrnul(line, ' '); + } + + next = strchrnul(line, '\n'); + free(sigc->primary_key_fingerprint); + sigc->primary_key_fingerprint = xmemdupz(line, next - line); } break; @@ -165,6 +178,7 @@ static void parse_gpg_output(struct signature_check *sigc) */ sigc->result = 'E'; /* Clear partial data to avoid confusion */ + FREE_AND_NULL(sigc->primary_key_fingerprint); FREE_AND_NULL(sigc->fingerprint); FREE_AND_NULL(sigc->signer); FREE_AND_NULL(sigc->key); diff --git a/gpg-interface.h b/gpg-interface.h index 8ce614fc95..3e624ec289 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -24,6 +24,7 @@ struct signature_check { char *signer; char *key; char *fingerprint; + char *primary_key_fingerprint; }; void signature_check_clear(struct signature_check *sigc); diff --git a/pretty.c b/pretty.c index b9caa9bd2f..53e4db12cf 100644 --- a/pretty.c +++ b/pretty.c @@ -1260,6 +1260,10 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */ if (c->signature_check.fingerprint) strbuf_addstr(sb, c->signature_check.fingerprint); break; + case 'P': + if (c->signature_check.primary_key_fingerprint) + strbuf_addstr(sb, c->signature_check.primary_key_fingerprint); + break; default: return 0; }