diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt index cce2c89245..d94025cb36 100644 --- a/Documentation/config/gpg.txt +++ b/Documentation/config/gpg.txt @@ -18,3 +18,18 @@ gpg..program:: chose. (see `gpg.program` and `gpg.format`) `gpg.program` can still be used as a legacy synonym for `gpg.openpgp.program`. The default value for `gpg.x509.program` is "gpgsm". + +gpg.minTrustLevel:: + Specifies a minimum trust level for signature verification. If + this option is unset, then signature verification for merge + operations require a key with at least `marginal` trust. Other + operations that perform signature verification require a key + with at least `undefined` trust. Setting this option overrides + the required trust-level for all operations. Supported values, + in increasing order of significance: ++ +* `undefined` +* `never` +* `marginal` +* `fully` +* `ultimate` diff --git a/Documentation/pretty-formats.txt b/Documentation/pretty-formats.txt index 31c6e8d2b8..6455f70447 100644 --- a/Documentation/pretty-formats.txt +++ b/Documentation/pretty-formats.txt @@ -213,6 +213,7 @@ endif::git-rev-list[] '%GF':: show the fingerprint of the key used to sign a signed commit '%GP':: show the fingerprint of the primary key whose subkey was used to sign a signed commit +'%GT':: show the trust level for the key used to sign a signed commit '%gD':: reflog selector, e.g., `refs/stash@{1}` or `refs/stash@{2 minutes ago}`; the format follows the rules described for the `-g` option. The portion before the `@` is the refname as diff --git a/builtin/merge.c b/builtin/merge.c index 062e911441..d127d2225f 100644 --- a/builtin/merge.c +++ b/builtin/merge.c @@ -62,6 +62,7 @@ static int show_diffstat = 1, shortlog_len = -1, squash; static int option_commit = -1; static int option_edit = -1; static int allow_trivial = 1, have_message, verify_signatures; +static int check_trust_level = 1; static int overwrite_ignore = 1; static struct strbuf merge_msg = STRBUF_INIT; static struct strategy **use_strategies; @@ -631,6 +632,8 @@ static int git_merge_config(const char *k, const char *v, void *cb) } else if (!strcmp(k, "commit.gpgsign")) { sign_commit = git_config_bool(k, v) ? "" : NULL; return 0; + } else if (!strcmp(k, "gpg.mintrustlevel")) { + check_trust_level = 0; } status = fmt_merge_msg_config(k, v, cb); @@ -1397,7 +1400,8 @@ int cmd_merge(int argc, const char **argv, const char *prefix) die(_("Can merge only exactly one commit into empty head")); if (verify_signatures) - verify_merge_signature(remoteheads->item, verbosity); + verify_merge_signature(remoteheads->item, verbosity, + check_trust_level); remote_head_oid = &remoteheads->item->object.oid; read_empty(remote_head_oid, 0); @@ -1420,7 +1424,8 @@ int cmd_merge(int argc, const char **argv, const char *prefix) if (verify_signatures) { for (p = remoteheads; p; p = p->next) { - verify_merge_signature(p->item, verbosity); + verify_merge_signature(p->item, verbosity, + check_trust_level); } } diff --git a/builtin/pull.c b/builtin/pull.c index d25ff13a60..d4e3e77c8e 100644 --- a/builtin/pull.c +++ b/builtin/pull.c @@ -107,6 +107,7 @@ static char *opt_ff; static char *opt_verify_signatures; static int opt_autostash = -1; static int config_autostash; +static int check_trust_level = 1; static struct argv_array opt_strategies = ARGV_ARRAY_INIT; static struct argv_array opt_strategy_opts = ARGV_ARRAY_INIT; static char *opt_gpg_sign; @@ -355,6 +356,8 @@ static enum rebase_type config_get_rebase(void) */ static int git_pull_config(const char *var, const char *value, void *cb) { + int status; + if (!strcmp(var, "rebase.autostash")) { config_autostash = git_config_bool(var, value); return 0; @@ -362,7 +365,14 @@ static int git_pull_config(const char *var, const char *value, void *cb) recurse_submodules = git_config_bool(var, value) ? RECURSE_SUBMODULES_ON : RECURSE_SUBMODULES_OFF; return 0; + } else if (!strcmp(var, "gpg.mintrustlevel")) { + check_trust_level = 0; } + + status = git_gpg_config(var, value, cb); + if (status) + return status; + return git_default_config(var, value, cb); } @@ -587,7 +597,8 @@ static int pull_into_void(const struct object_id *merge_head, die(_("unable to access commit %s"), oid_to_hex(merge_head)); - verify_merge_signature(commit, opt_verbosity); + verify_merge_signature(commit, opt_verbosity, + check_trust_level); } /* diff --git a/commit.c b/commit.c index 434ec030d6..3f91d3efc5 100644 --- a/commit.c +++ b/commit.c @@ -1136,21 +1136,23 @@ int check_commit_signature(const struct commit *commit, struct signature_check * return ret; } -void verify_merge_signature(struct commit *commit, int verbosity) +void verify_merge_signature(struct commit *commit, int verbosity, + int check_trust) { char hex[GIT_MAX_HEXSZ + 1]; struct signature_check signature_check; + int ret; memset(&signature_check, 0, sizeof(signature_check)); - check_commit_signature(commit, &signature_check); + ret = check_commit_signature(commit, &signature_check); find_unique_abbrev_r(hex, &commit->object.oid, DEFAULT_ABBREV); switch (signature_check.result) { case 'G': + if (ret || (check_trust && signature_check.trust_level < TRUST_MARGINAL)) + die(_("Commit %s has an untrusted GPG signature, " + "allegedly by %s."), hex, signature_check.signer); break; - case 'U': - die(_("Commit %s has an untrusted GPG signature, " - "allegedly by %s."), hex, signature_check.signer); case 'B': die(_("Commit %s has a bad GPG signature " "allegedly by %s."), hex, signature_check.signer); diff --git a/commit.h b/commit.h index 221cdaa34b..008a0fa4a0 100644 --- a/commit.h +++ b/commit.h @@ -383,8 +383,18 @@ int compare_commits_by_author_date(const void *a_, const void *b_, void *unused) * Verify a single commit with check_commit_signature() and die() if it is not * a good signature. This isn't really suitable for general use, but is a * helper to implement consistent logic for pull/merge --verify-signatures. + * + * The check_trust parameter is meant for backward-compatibility. The GPG + * interface verifies key trust with a default trust level that is below the + * default trust level for merge operations. Its value should be non-zero if + * the user hasn't set a minimum trust level explicitly in their configuration. + * + * If the user has set a minimum trust level, then that value should be obeyed + * and check_trust should be zero, even if the configured trust level is below + * the default trust level for merges. */ -void verify_merge_signature(struct commit *commit, int verbose); +void verify_merge_signature(struct commit *commit, int verbose, + int check_trust); int compare_commits_by_commit_date(const void *a_, const void *b_, void *unused); int compare_commits_by_gen_then_commit_date(const void *a_, const void *b_, void *unused); diff --git a/gpg-interface.c b/gpg-interface.c index 131e7d529e..165274d74a 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -7,6 +7,8 @@ #include "tempfile.h" static char *configured_signing_key; +static enum signature_trust_level configured_min_trust_level = TRUST_UNDEFINED; + struct gpg_format { const char *name; const char *program; @@ -85,6 +87,8 @@ void signature_check_clear(struct signature_check *sigc) #define GPG_STATUS_UID (1<<2) /* The status includes key fingerprints */ #define GPG_STATUS_FINGERPRINT (1<<3) +/* The status includes trust level */ +#define GPG_STATUS_TRUST_LEVEL (1<<4) /* Short-hand for standard exclusive *SIG status with keyid & UID */ #define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID) @@ -96,13 +100,23 @@ static struct { } sigcheck_gpg_status[] = { { 'G', "GOODSIG ", GPG_STATUS_STDSIG }, { 'B', "BADSIG ", GPG_STATUS_STDSIG }, - { 'U', "TRUST_NEVER", 0 }, - { 'U', "TRUST_UNDEFINED", 0 }, { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID }, { 'X', "EXPSIG ", GPG_STATUS_STDSIG }, { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG }, { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG }, { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT }, + { 0, "TRUST_", GPG_STATUS_TRUST_LEVEL }, +}; + +static struct { + const char *key; + enum signature_trust_level value; +} sigcheck_gpg_trust_level[] = { + { "UNDEFINED", TRUST_UNDEFINED }, + { "NEVER", TRUST_NEVER }, + { "MARGINAL", TRUST_MARGINAL }, + { "FULLY", TRUST_FULLY }, + { "ULTIMATE", TRUST_ULTIMATE }, }; static void replace_cstring(char **field, const char *line, const char *next) @@ -115,6 +129,20 @@ static void replace_cstring(char **field, const char *line, const char *next) *field = NULL; } +static int parse_gpg_trust_level(const char *level, + enum signature_trust_level *res) +{ + size_t i; + + for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_trust_level); i++) { + if (!strcmp(sigcheck_gpg_trust_level[i].key, level)) { + *res = sigcheck_gpg_trust_level[i].value; + return 0; + } + } + return 1; +} + static void parse_gpg_output(struct signature_check *sigc) { const char *buf = sigc->gpg_status; @@ -136,9 +164,18 @@ static void parse_gpg_output(struct signature_check *sigc) /* Iterate over all search strings */ for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) { + /* + * GOODSIG, BADSIG etc. can occur only once for + * each signature. Therefore, if we had more + * than one then we're dealing with multiple + * signatures. We don't support them + * currently, and they're rather hard to + * create, so something is likely fishy and we + * should reject them altogether. + */ if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) { if (seen_exclusive_status++) - goto found_duplicate_status; + goto error; } if (sigcheck_gpg_status[i].result) @@ -154,6 +191,25 @@ static void parse_gpg_output(struct signature_check *sigc) replace_cstring(&sigc->signer, line, next); } } + + /* Do we have trust level? */ + if (sigcheck_gpg_status[i].flags & GPG_STATUS_TRUST_LEVEL) { + /* + * GPG v1 and v2 differs in how the + * TRUST_ lines are written. Some + * trust lines contain no additional + * space-separated information for v1. + */ + size_t trust_size = strcspn(line, " \n"); + char *trust = xmemdupz(line, trust_size); + + if (parse_gpg_trust_level(trust, &sigc->trust_level)) { + free(trust); + goto error; + } + free(trust); + } + /* Do we have fingerprint? */ if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) { const char *limit; @@ -191,14 +247,7 @@ static void parse_gpg_output(struct signature_check *sigc) } return; -found_duplicate_status: - /* - * GOODSIG, BADSIG etc. can occur only once for each signature. - * Therefore, if we had more than one then we're dealing with multiple - * signatures. We don't support them currently, and they're rather - * hard to create, so something is likely fishy and we should reject - * them altogether. - */ +error: sigc->result = 'E'; /* Clear partial data to avoid confusion */ FREE_AND_NULL(sigc->primary_key_fingerprint); @@ -215,6 +264,7 @@ int check_signature(const char *payload, size_t plen, const char *signature, int status; sigc->result = 'N'; + sigc->trust_level = -1; status = verify_signed_buffer(payload, plen, signature, slen, &gpg_output, &gpg_status); @@ -224,7 +274,8 @@ int check_signature(const char *payload, size_t plen, const char *signature, sigc->gpg_output = strbuf_detach(&gpg_output, NULL); sigc->gpg_status = strbuf_detach(&gpg_status, NULL); parse_gpg_output(sigc); - status |= sigc->result != 'G' && sigc->result != 'U'; + status |= sigc->result != 'G'; + status |= sigc->trust_level < configured_min_trust_level; out: strbuf_release(&gpg_status); @@ -271,6 +322,8 @@ int git_gpg_config(const char *var, const char *value, void *cb) { struct gpg_format *fmt = NULL; char *fmtname = NULL; + char *trust; + int ret; if (!strcmp(var, "user.signingkey")) { if (!value) @@ -290,6 +343,20 @@ int git_gpg_config(const char *var, const char *value, void *cb) return 0; } + if (!strcmp(var, "gpg.mintrustlevel")) { + if (!value) + return config_error_nonbool(var); + + trust = xstrdup_toupper(value); + ret = parse_gpg_trust_level(trust, &configured_min_trust_level); + free(trust); + + if (ret) + return error("unsupported value for %s: %s", var, + value); + return 0; + } + if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program")) fmtname = "openpgp"; diff --git a/gpg-interface.h b/gpg-interface.h index 3e624ec289..796571e9e9 100644 --- a/gpg-interface.h +++ b/gpg-interface.h @@ -7,6 +7,14 @@ struct strbuf; #define GPG_VERIFY_RAW 2 #define GPG_VERIFY_OMIT_STATUS 4 +enum signature_trust_level { + TRUST_UNDEFINED, + TRUST_NEVER, + TRUST_MARGINAL, + TRUST_FULLY, + TRUST_ULTIMATE, +}; + struct signature_check { char *payload; char *gpg_output; @@ -16,7 +24,6 @@ struct signature_check { * possible "result": * 0 (not checked) * N (checked but no further result) - * U (untrusted good) * G (good) * B (bad) */ @@ -25,6 +32,7 @@ struct signature_check { char *key; char *fingerprint; char *primary_key_fingerprint; + enum signature_trust_level trust_level; }; void signature_check_clear(struct signature_check *sigc); diff --git a/pretty.c b/pretty.c index 93eb6e8370..f2bb42f220 100644 --- a/pretty.c +++ b/pretty.c @@ -1303,9 +1303,18 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */ case '?': switch (c->signature_check.result) { case 'G': + switch (c->signature_check.trust_level) { + case TRUST_UNDEFINED: + case TRUST_NEVER: + strbuf_addch(sb, 'U'); + break; + default: + strbuf_addch(sb, 'G'); + break; + } + break; case 'B': case 'E': - case 'U': case 'N': case 'X': case 'Y': @@ -1329,6 +1338,25 @@ static size_t format_commit_one(struct strbuf *sb, /* in UTF-8 */ if (c->signature_check.primary_key_fingerprint) strbuf_addstr(sb, c->signature_check.primary_key_fingerprint); break; + case 'T': + switch (c->signature_check.trust_level) { + case TRUST_UNDEFINED: + strbuf_addstr(sb, "undefined"); + break; + case TRUST_NEVER: + strbuf_addstr(sb, "never"); + break; + case TRUST_MARGINAL: + strbuf_addstr(sb, "marginal"); + break; + case TRUST_FULLY: + strbuf_addstr(sb, "fully"); + break; + case TRUST_ULTIMATE: + strbuf_addstr(sb, "ultimate"); + break; + } + break; default: return 0; } diff --git a/t/t5573-pull-verify-signatures.sh b/t/t5573-pull-verify-signatures.sh index 3e9876e197..a53dd8550d 100755 --- a/t/t5573-pull-verify-signatures.sh +++ b/t/t5573-pull-verify-signatures.sh @@ -60,6 +60,27 @@ test_expect_success GPG 'pull commit with untrusted signature with --verify-sign test_i18ngrep "has an untrusted GPG signature" pullerror ' +test_expect_success GPG 'pull commit with untrusted signature with --verify-signatures and minTrustLevel=ultimate' ' + test_when_finished "git reset --hard && git checkout initial" && + test_config gpg.minTrustLevel ultimate && + test_must_fail git pull --ff-only --verify-signatures untrusted 2>pullerror && + test_i18ngrep "has an untrusted GPG signature" pullerror +' + +test_expect_success GPG 'pull commit with untrusted signature with --verify-signatures and minTrustLevel=marginal' ' + test_when_finished "git reset --hard && git checkout initial" && + test_config gpg.minTrustLevel marginal && + test_must_fail git pull --ff-only --verify-signatures untrusted 2>pullerror && + test_i18ngrep "has an untrusted GPG signature" pullerror +' + +test_expect_success GPG 'pull commit with untrusted signature with --verify-signatures and minTrustLevel=undefined' ' + test_when_finished "git reset --hard && git checkout initial" && + test_config gpg.minTrustLevel undefined && + git pull --ff-only --verify-signatures untrusted >pulloutput && + test_i18ngrep "has a good GPG signature" pulloutput +' + test_expect_success GPG 'pull signed commit with --verify-signatures' ' test_when_finished "git reset --hard && git checkout initial" && git pull --verify-signatures signed >pulloutput && @@ -79,10 +100,53 @@ test_expect_success GPG 'pull commit with bad signature with --no-verify-signatu ' test_expect_success GPG 'pull unsigned commit into unborn branch' ' + test_when_finished "rm -rf empty-repo" && git init empty-repo && test_must_fail \ git -C empty-repo pull --verify-signatures .. 2>pullerror && test_i18ngrep "does not have a GPG signature" pullerror ' +test_expect_success GPG 'pull commit into unborn branch with bad signature and --verify-signatures' ' + test_when_finished "rm -rf empty-repo" && + git init empty-repo && + test_must_fail \ + git -C empty-repo pull --ff-only --verify-signatures ../bad 2>pullerror && + test_i18ngrep "has a bad GPG signature" pullerror +' + +test_expect_success GPG 'pull commit into unborn branch with untrusted signature and --verify-signatures' ' + test_when_finished "rm -rf empty-repo" && + git init empty-repo && + test_must_fail \ + git -C empty-repo pull --ff-only --verify-signatures ../untrusted 2>pullerror && + test_i18ngrep "has an untrusted GPG signature" pullerror +' + +test_expect_success GPG 'pull commit into unborn branch with untrusted signature and --verify-signatures and minTrustLevel=ultimate' ' + test_when_finished "rm -rf empty-repo" && + git init empty-repo && + test_config_global gpg.minTrustLevel ultimate && + test_must_fail \ + git -C empty-repo pull --ff-only --verify-signatures ../untrusted 2>pullerror && + test_i18ngrep "has an untrusted GPG signature" pullerror +' + +test_expect_success GPG 'pull commit into unborn branch with untrusted signature and --verify-signatures and minTrustLevel=marginal' ' + test_when_finished "rm -rf empty-repo" && + git init empty-repo && + test_config_global gpg.minTrustLevel marginal && + test_must_fail \ + git -C empty-repo pull --ff-only --verify-signatures ../untrusted 2>pullerror && + test_i18ngrep "has an untrusted GPG signature" pullerror +' + +test_expect_success GPG 'pull commit into unborn branch with untrusted signature and --verify-signatures and minTrustLevel=undefined' ' + test_when_finished "rm -rf empty-repo" && + git init empty-repo && + test_config_global gpg.minTrustLevel undefined && + git -C empty-repo pull --ff-only --verify-signatures ../untrusted >pulloutput && + test_i18ngrep "has a good GPG signature" pulloutput +' + test_done diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh index 8f077bea60..5c5bc32ccb 100755 --- a/t/t7030-verify-tag.sh +++ b/t/t7030-verify-tag.sh @@ -86,6 +86,30 @@ test_expect_success GPGSM 'verify and show signatures x509' ' echo ninth-signed-x509 OK ' +test_expect_success GPGSM 'verify and show signatures x509 with low minTrustLevel' ' + test_config gpg.minTrustLevel undefined && + git verify-tag ninth-signed-x509 2>actual && + grep "Good signature from" actual && + ! grep "BAD signature from" actual && + echo ninth-signed-x509 OK +' + +test_expect_success GPGSM 'verify and show signatures x509 with matching minTrustLevel' ' + test_config gpg.minTrustLevel fully && + git verify-tag ninth-signed-x509 2>actual && + grep "Good signature from" actual && + ! grep "BAD signature from" actual && + echo ninth-signed-x509 OK +' + +test_expect_success GPGSM 'verify and show signatures x509 with high minTrustLevel' ' + test_config gpg.minTrustLevel ultimate && + test_must_fail git verify-tag ninth-signed-x509 2>actual && + grep "Good signature from" actual && + ! grep "BAD signature from" actual && + echo ninth-signed-x509 OK +' + test_expect_success GPG 'detect fudged signature' ' git cat-file tag seventh-signed >raw && sed -e "/^tag / s/seventh/7th forged/" raw >forged1 && diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh index 682b23a068..0c06d22a00 100755 --- a/t/t7510-signed-commit.sh +++ b/t/t7510-signed-commit.sh @@ -109,6 +109,21 @@ test_expect_success GPG 'verify-commit exits success on untrusted signature' ' grep "not certified" actual ' +test_expect_success GPG 'verify-commit exits success with matching minTrustLevel' ' + test_config gpg.minTrustLevel ultimate && + git verify-commit sixth-signed +' + +test_expect_success GPG 'verify-commit exits success with low minTrustLevel' ' + test_config gpg.minTrustLevel fully && + git verify-commit sixth-signed +' + +test_expect_success GPG 'verify-commit exits failure with high minTrustLevel' ' + test_config gpg.minTrustLevel ultimate && + test_must_fail git verify-commit eighth-signed-alt +' + test_expect_success GPG 'verify signatures with --raw' ' ( for commit in initial second merge fourth-signed fifth-signed sixth-signed seventh-signed @@ -219,6 +234,30 @@ test_expect_success GPG 'show untrusted signature with custom format' ' test_cmp expect actual ' +test_expect_success GPG 'show untrusted signature with undefined trust level' ' + cat >expect <<-\EOF && + undefined + 65A0EEA02E30CAD7 + Eris Discordia + F8364A59E07FFE9F4D63005A65A0EEA02E30CAD7 + D4BE22311AD3131E5EDA29A461092E85B7227189 + EOF + git log -1 --format="%GT%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual && + test_cmp expect actual +' + +test_expect_success GPG 'show untrusted signature with ultimate trust level' ' + cat >expect <<-\EOF && + ultimate + 13B6F51ECDDE430D + C O Mitter + 73D758744BE721698EC54E8713B6F51ECDDE430D + 73D758744BE721698EC54E8713B6F51ECDDE430D + EOF + git log -1 --format="%GT%n%GK%n%GS%n%GF%n%GP" sixth-signed >actual && + test_cmp expect actual +' + test_expect_success GPG 'show unknown signature with custom format' ' cat >expect <<-\EOF && E diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh index d99218a725..a426f3a89a 100755 --- a/t/t7612-merge-verify-signatures.sh +++ b/t/t7612-merge-verify-signatures.sh @@ -66,6 +66,20 @@ test_expect_success GPG 'merge commit with untrusted signature with verification test_i18ngrep "has an untrusted GPG signature" mergeerror ' +test_expect_success GPG 'merge commit with untrusted signature with verification and high minTrustLevel' ' + test_when_finished "git reset --hard && git checkout initial" && + test_config gpg.minTrustLevel marginal && + test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror && + test_i18ngrep "has an untrusted GPG signature" mergeerror +' + +test_expect_success GPG 'merge commit with untrusted signature with verification and low minTrustLevel' ' + test_when_finished "git reset --hard && git checkout initial" && + test_config gpg.minTrustLevel undefined && + git merge --ff-only --verify-signatures side-untrusted >mergeoutput && + test_i18ngrep "has a good GPG signature" mergeoutput +' + test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' ' test_when_finished "git reset --hard && git checkout initial" && test_config merge.verifySignatures true && @@ -73,6 +87,14 @@ test_expect_success GPG 'merge commit with untrusted signature with merge.verify test_i18ngrep "has an untrusted GPG signature" mergeerror ' +test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true and minTrustLevel' ' + test_when_finished "git reset --hard && git checkout initial" && + test_config merge.verifySignatures true && + test_config gpg.minTrustLevel marginal && + test_must_fail git merge --ff-only side-untrusted 2>mergeerror && + test_i18ngrep "has an untrusted GPG signature" mergeerror +' + test_expect_success GPG 'merge signed commit with verification' ' test_when_finished "git reset --hard && git checkout initial" && git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&