3 test_description
='signed tag tests'
4 GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
=main
5 export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
7 TEST_PASSES_SANITIZE_LEAK
=true
9 .
"$TEST_DIRECTORY/lib-gpg.sh"
11 test_expect_success GPG
'create signed tags' '
12 echo 1 >file && git add file &&
13 test_tick && git commit -m initial &&
14 git tag -s -m initial initial &&
17 echo 2 >file && test_tick && git commit -a -m second &&
18 git tag -s -m second second &&
21 echo 3 >elif && git add elif &&
22 test_tick && git commit -m "third on side" &&
25 test_tick && git merge -S side &&
26 git tag -s -m merge merge &&
28 echo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" &&
29 git tag -a -m fourth-unsigned fourth-unsigned &&
31 test_tick && git commit --amend -S -m "fourth signed" &&
32 git tag -s -m fourth fourth-signed &&
34 echo 5 >file && test_tick && git commit -a -m "fifth" &&
35 git tag fifth-unsigned &&
37 git config commit.gpgsign true &&
38 echo 6 >file && test_tick && git commit -a -m "sixth" &&
39 git tag -a -m sixth sixth-unsigned &&
41 test_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ &&
42 git tag -m seventh -s seventh-signed &&
44 echo 8 >file && test_tick && git commit -a -m eighth &&
45 git tag -uB7227189 -m eighth eighth-signed-alt
48 test_expect_success GPGSM
'create signed tags x509 ' '
49 test_config gpg.format x509 &&
50 test_config user.signingkey $GIT_COMMITTER_EMAIL &&
51 echo 9 >file && test_tick && git commit -a -m "ninth gpgsm-signed" &&
52 git tag -s -m ninth ninth-signed-x509
55 test_expect_success GPG
'verify and show signatures' '
57 for tag in initial second merge fourth-signed sixth-signed seventh-signed
59 git verify-tag $tag 2>actual &&
60 grep "Good signature from" actual &&
61 ! grep "BAD signature from" actual &&
62 echo $tag OK || exit 1
66 for tag in fourth-unsigned fifth-unsigned sixth-unsigned
68 test_must_fail git verify-tag $tag 2>actual &&
69 ! grep "Good signature from" actual &&
70 ! grep "BAD signature from" actual &&
71 echo $tag OK || exit 1
75 for tag in eighth-signed-alt
77 git verify-tag $tag 2>actual &&
78 grep "Good signature from" actual &&
79 ! grep "BAD signature from" actual &&
80 grep "not certified" actual &&
81 echo $tag OK || exit 1
86 test_expect_success GPGSM
'verify and show signatures x509' '
87 git verify-tag ninth-signed-x509 2>actual &&
88 grep "Good signature from" actual &&
89 ! grep "BAD signature from" actual &&
90 echo ninth-signed-x509 OK
93 test_expect_success GPGSM
'verify and show signatures x509 with low minTrustLevel' '
94 test_config gpg.minTrustLevel undefined &&
95 git verify-tag ninth-signed-x509 2>actual &&
96 grep "Good signature from" actual &&
97 ! grep "BAD signature from" actual &&
98 echo ninth-signed-x509 OK
101 test_expect_success GPGSM
'verify and show signatures x509 with matching minTrustLevel' '
102 test_config gpg.minTrustLevel fully &&
103 git verify-tag ninth-signed-x509 2>actual &&
104 grep "Good signature from" actual &&
105 ! grep "BAD signature from" actual &&
106 echo ninth-signed-x509 OK
109 test_expect_success GPGSM
'verify and show signatures x509 with high minTrustLevel' '
110 test_config gpg.minTrustLevel ultimate &&
111 test_must_fail git verify-tag ninth-signed-x509 2>actual &&
112 grep "Good signature from" actual &&
113 ! grep "BAD signature from" actual &&
114 echo ninth-signed-x509 OK
117 test_expect_success GPG
'detect fudged signature' '
118 git cat-file tag seventh-signed >raw &&
119 sed -e "/^tag / s/seventh/7th-forged/" raw >forged1 &&
120 git hash-object -w -t tag forged1 >forged1.tag &&
121 test_must_fail git verify-tag $(cat forged1.tag) 2>actual1 &&
122 grep "BAD signature from" actual1 &&
123 ! grep "Good signature from" actual1
126 test_expect_success GPG
'verify signatures with --raw' '
128 for tag in initial second merge fourth-signed sixth-signed seventh-signed
130 git verify-tag --raw $tag 2>actual &&
131 grep "GOODSIG" actual &&
132 ! grep "BADSIG" actual &&
133 echo $tag OK || exit 1
137 for tag in fourth-unsigned fifth-unsigned sixth-unsigned
139 test_must_fail git verify-tag --raw $tag 2>actual &&
140 ! grep "GOODSIG" actual &&
141 ! grep "BADSIG" actual &&
142 echo $tag OK || exit 1
146 for tag in eighth-signed-alt
148 git verify-tag --raw $tag 2>actual &&
149 grep "GOODSIG" actual &&
150 ! grep "BADSIG" actual &&
151 grep "TRUST_UNDEFINED" actual &&
152 echo $tag OK || exit 1
157 test_expect_success GPGSM
'verify signatures with --raw x509' '
158 git verify-tag --raw ninth-signed-x509 2>actual &&
159 grep "GOODSIG" actual &&
160 ! grep "BADSIG" actual &&
161 echo ninth-signed-x509 OK
164 test_expect_success GPG
'verify multiple tags' '
165 tags="fourth-signed sixth-signed seventh-signed" &&
168 git verify-tag -v --raw $i || return 1
169 done >expect.stdout 2>expect.stderr.1 &&
170 grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
171 git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
172 grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
173 test_cmp expect.stdout actual.stdout &&
174 test_cmp expect.stderr actual.stderr
177 test_expect_success GPGSM
'verify multiple tags x509' '
178 tags="seventh-signed ninth-signed-x509" &&
181 git verify-tag -v --raw $i || return 1
182 done >expect.stdout 2>expect.stderr.1 &&
183 grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
184 git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
185 grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
186 test_cmp expect.stdout actual.stdout &&
187 test_cmp expect.stderr actual.stderr
190 test_expect_success GPG
'verifying tag with --format' '
191 cat >expect <<-\EOF &&
192 tagname : fourth-signed
194 git verify-tag --format="tagname : %(tag)" "fourth-signed" >actual &&
195 test_cmp expect actual
198 test_expect_success GPG
'verifying tag with --format="%(rest)" must fail' '
199 test_must_fail git verify-tag --format="%(rest)" "fourth-signed"
202 test_expect_success GPG
'verifying a forged tag with --format should fail silently' '
203 test_must_fail git verify-tag --format="tagname : %(tag)" $(cat forged1.tag) >actual-forged &&
204 test_must_be_empty actual-forged