mirror of
https://github.com/git/git.git
synced 2024-05-12 17:36:08 +02:00
verify-commit: add option to print raw gpg status information
verify-commit by default displays human-readable output on standard error. However, it can also be useful to get access to the raw gpg status information, which is machine-readable, allowing automated implementation of signing policy. Add a --raw option to make verify-commit produce the gpg status information on standard error instead of the human-readable format. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
brian m. carlson
Junio C Hamano
parent
ca194d50b8
commit
aeff29dd4d
|
|
@ -16,6 +16,10 @@ Validates the gpg signature created by 'git commit -S'.
|
|||
|
||||
OPTIONS
|
||||
-------
|
||||
--raw::
|
||||
Print the raw gpg status output to standard error instead of the normal
|
||||
human-readable output.
|
||||
|
||||
-v::
|
||||
--verbose::
|
||||
Print the contents of the commit object before validating it.
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ static const char * const verify_commit_usage[] = {
|
|||
NULL
|
||||
};
|
||||
|
||||
static int run_gpg_verify(const unsigned char *sha1, const char *buf, unsigned long size, int verbose)
|
||||
static int run_gpg_verify(const unsigned char *sha1, const char *buf, unsigned long size, unsigned flags)
|
||||
{
|
||||
struct signature_check signature_check;
|
||||
int ret;
|
||||
|
|
@ -26,13 +26,13 @@ static int run_gpg_verify(const unsigned char *sha1, const char *buf, unsigned l
|
|||
memset(&signature_check, 0, sizeof(signature_check));
|
||||
|
||||
ret = check_commit_signature(lookup_commit(sha1), &signature_check);
|
||||
print_signature_buffer(&signature_check, verbose ? GPG_VERIFY_VERBOSE : 0);
|
||||
print_signature_buffer(&signature_check, flags);
|
||||
|
||||
signature_check_clear(&signature_check);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int verify_commit(const char *name, int verbose)
|
||||
static int verify_commit(const char *name, unsigned flags)
|
||||
{
|
||||
enum object_type type;
|
||||
unsigned char sha1[20];
|
||||
|
|
@ -50,7 +50,7 @@ static int verify_commit(const char *name, int verbose)
|
|||
return error("%s: cannot verify a non-commit object of type %s.",
|
||||
name, typename(type));
|
||||
|
||||
ret = run_gpg_verify(sha1, buf, size, verbose);
|
||||
ret = run_gpg_verify(sha1, buf, size, flags);
|
||||
|
||||
free(buf);
|
||||
return ret;
|
||||
|
|
@ -67,8 +67,10 @@ static int git_verify_commit_config(const char *var, const char *value, void *cb
|
|||
int cmd_verify_commit(int argc, const char **argv, const char *prefix)
|
||||
{
|
||||
int i = 1, verbose = 0, had_error = 0;
|
||||
unsigned flags = 0;
|
||||
const struct option verify_commit_options[] = {
|
||||
OPT__VERBOSE(&verbose, N_("print commit contents")),
|
||||
OPT_BIT(0, "raw", &flags, N_("print raw gpg status output"), GPG_VERIFY_RAW),
|
||||
OPT_END()
|
||||
};
|
||||
|
||||
|
|
@ -79,11 +81,14 @@ int cmd_verify_commit(int argc, const char **argv, const char *prefix)
|
|||
if (argc <= i)
|
||||
usage_with_options(verify_commit_usage, verify_commit_options);
|
||||
|
||||
if (verbose)
|
||||
flags |= GPG_VERIFY_VERBOSE;
|
||||
|
||||
/* sometimes the program was terminated because this signal
|
||||
* was received in the process of writing the gpg input: */
|
||||
signal(SIGPIPE, SIG_IGN);
|
||||
while (i < argc)
|
||||
if (verify_commit(argv[i++], verbose))
|
||||
if (verify_commit(argv[i++], flags))
|
||||
had_error = 1;
|
||||
return had_error;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -87,11 +87,14 @@ int check_signature(const char *payload, size_t plen, const char *signature,
|
|||
|
||||
void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
|
||||
{
|
||||
const char *output = flags & GPG_VERIFY_RAW ?
|
||||
sigc->gpg_status : sigc->gpg_output;
|
||||
|
||||
if (flags & GPG_VERIFY_VERBOSE && sigc->payload)
|
||||
fputs(sigc->payload, stdout);
|
||||
|
||||
if (sigc->gpg_output)
|
||||
fputs(sigc->gpg_output, stderr);
|
||||
if (output)
|
||||
fputs(output, stderr);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
#define GPG_INTERFACE_H
|
||||
|
||||
#define GPG_VERIFY_VERBOSE 1
|
||||
#define GPG_VERIFY_RAW 2
|
||||
|
||||
struct signature_check {
|
||||
char *payload;
|
||||
|
|
|
|||
|
|
@ -88,6 +88,37 @@ test_expect_success GPG 'verify-commit exits success on untrusted signature' '
|
|||
grep "not certified" actual
|
||||
'
|
||||
|
||||
test_expect_success GPG 'verify signatures with --raw' '
|
||||
(
|
||||
for commit in initial second merge fourth-signed fifth-signed sixth-signed seventh-signed
|
||||
do
|
||||
git verify-commit --raw $commit 2>actual &&
|
||||
grep "GOODSIG" actual &&
|
||||
! grep "BADSIG" actual &&
|
||||
echo $commit OK || exit 1
|
||||
done
|
||||
) &&
|
||||
(
|
||||
for commit in merge^2 fourth-unsigned sixth-unsigned seventh-unsigned
|
||||
do
|
||||
test_must_fail git verify-commit --raw $commit 2>actual &&
|
||||
! grep "GOODSIG" actual &&
|
||||
! grep "BADSIG" actual &&
|
||||
echo $commit OK || exit 1
|
||||
done
|
||||
) &&
|
||||
(
|
||||
for commit in eighth-signed-alt
|
||||
do
|
||||
git verify-commit --raw $commit 2>actual &&
|
||||
grep "GOODSIG" actual &&
|
||||
! grep "BADSIG" actual &&
|
||||
grep "TRUST_UNDEFINED" actual &&
|
||||
echo $commit OK || exit 1
|
||||
done
|
||||
)
|
||||
'
|
||||
|
||||
test_expect_success GPG 'show signed commit with signature' '
|
||||
git show -s initial >commit &&
|
||||
git show -s --show-signature initial >show &&
|
||||
|
|
|
|||
Loading…
Reference in New Issue