t/t7510-signed-commit.sh

   1 #!/bin/sh
   2
   3 test_description='signed commit tests'
   4 GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
   5 export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
   6
   7 TEST_PASSES_SANITIZE_LEAK=true
   8 . ./test-lib.sh
   9 GNUPGHOME_NOT_USED=$GNUPGHOME
  10 . "$TEST_DIRECTORY/lib-gpg.sh"
  11
  12 test_expect_success GPG 'create signed commits' '
  13         test_oid_cache <<-\EOF &&
  14         header sha1:gpgsig
  15         header sha256:gpgsig-sha256
  16         EOF
  17
  18         test_when_finished "test_unconfig commit.gpgsign" &&
  19
  20         echo 1 >file && git add file &&
  21         test_tick && git commit -S -m initial &&
  22         git tag initial &&
  23         git branch side &&
  24
  25         echo 2 >file && test_tick && git commit -a -S -m second &&
  26         git tag second &&
  27
  28         git checkout side &&
  29         echo 3 >elif && git add elif &&
  30         test_tick && git commit -m "third on side" &&
  31
  32         git checkout main &&
  33         test_tick && git merge -S side &&
  34         git tag merge &&
  35
  36         echo 4 >file && test_tick && git commit -a -m "fourth unsigned" &&
  37         git tag fourth-unsigned &&
  38
  39         test_tick && git commit --amend -S -m "fourth signed" &&
  40         git tag fourth-signed &&
  41
  42         git config commit.gpgsign true &&
  43         echo 5 >file && test_tick && git commit -a -m "fifth signed" &&
  44         git tag fifth-signed &&
  45
  46         git config commit.gpgsign false &&
  47         echo 6 >file && test_tick && git commit -a -m "sixth" &&
  48         git tag sixth-unsigned &&
  49
  50         git config commit.gpgsign true &&
  51         echo 7 >file && test_tick && git commit -a -m "seventh" --no-gpg-sign &&
  52         git tag seventh-unsigned &&
  53
  54         test_tick && git rebase -f HEAD^^ && git tag sixth-signed HEAD^ &&
  55         git tag seventh-signed &&
  56
  57         echo 8 >file && test_tick && git commit -a -m eighth -SB7227189 &&
  58         git tag eighth-signed-alt &&
  59
  60         # commit.gpgsign is still on but this must not be signed
  61         echo 9 | git commit-tree HEAD^{tree} >oid &&
  62         test_line_count = 1 oid &&
  63         git tag ninth-unsigned $(cat oid) &&
  64         # explicit -S of course must sign.
  65         echo 10 | git commit-tree -S HEAD^{tree} >oid &&
  66         test_line_count = 1 oid &&
  67         git tag tenth-signed $(cat oid) &&
  68
  69         # --gpg-sign[=<key-id>] must sign.
  70         echo 11 | git commit-tree --gpg-sign HEAD^{tree} >oid &&
  71         test_line_count = 1 oid &&
  72         git tag eleventh-signed $(cat oid) &&
  73         echo 12 | git commit-tree --gpg-sign=B7227189 HEAD^{tree} >oid &&
  74         test_line_count = 1 oid &&
  75         git tag twelfth-signed-alt $(cat oid)
  76 '
  77
  78 test_expect_success GPG 'verify and show signatures' '
  79         (
  80                 for commit in initial second merge fourth-signed \
  81                         fifth-signed sixth-signed seventh-signed tenth-signed \
  82                         eleventh-signed
  83                 do
  84                         git verify-commit $commit &&
  85                         git show --pretty=short --show-signature $commit >actual &&
  86                         grep "Good signature from" actual &&
  87                         ! grep "BAD signature from" actual &&
  88                         echo $commit OK || exit 1
  89                 done
  90         ) &&
  91         (
  92                 for commit in merge^2 fourth-unsigned sixth-unsigned \
  93                         seventh-unsigned ninth-unsigned
  94                 do
  95                         test_must_fail git verify-commit $commit &&
  96                         git show --pretty=short --show-signature $commit >actual &&
  97                         ! grep "Good signature from" actual &&
  98                         ! grep "BAD signature from" actual &&
  99                         echo $commit OK || exit 1
 100                 done
 101         ) &&
 102         (
 103                 for commit in eighth-signed-alt twelfth-signed-alt
 104                 do
 105                         git show --pretty=short --show-signature $commit >actual &&
 106                         grep "Good signature from" actual &&
 107                         ! grep "BAD signature from" actual &&
 108                         grep "not certified" actual &&
 109                         echo $commit OK || exit 1
 110                 done
 111         )
 112 '
 113
 114 test_expect_success GPG 'verify-commit exits failure on unknown signature' '
 115         test_must_fail env GNUPGHOME="$GNUPGHOME_NOT_USED" git verify-commit initial 2>actual &&
 116         ! grep "Good signature from" actual &&
 117         ! grep "BAD signature from" actual &&
 118         grep -q -F -e "No public key" -e "public key not found" actual
 119 '
 120
 121 test_expect_success GPG 'verify-commit exits success on untrusted signature' '
 122         git verify-commit eighth-signed-alt 2>actual &&
 123         grep "Good signature from" actual &&
 124         ! grep "BAD signature from" actual &&
 125         grep "not certified" actual
 126 '
 127
 128 test_expect_success GPG 'verify-commit exits success with matching minTrustLevel' '
 129         test_config gpg.minTrustLevel ultimate &&
 130         git verify-commit sixth-signed
 131 '
 132
 133 test_expect_success GPG 'verify-commit exits success with low minTrustLevel' '
 134         test_config gpg.minTrustLevel fully &&
 135         git verify-commit sixth-signed
 136 '
 137
 138 test_expect_success GPG 'verify-commit exits failure with high minTrustLevel' '
 139         test_config gpg.minTrustLevel ultimate &&
 140         test_must_fail git verify-commit eighth-signed-alt
 141 '
 142
 143 test_expect_success GPG 'verify signatures with --raw' '
 144         (
 145                 for commit in initial second merge fourth-signed fifth-signed sixth-signed seventh-signed
 146                 do
 147                         git verify-commit --raw $commit 2>actual &&
 148                         grep "GOODSIG" actual &&
 149                         ! grep "BADSIG" actual &&
 150                         echo $commit OK || exit 1
 151                 done
 152         ) &&
 153         (
 154                 for commit in merge^2 fourth-unsigned sixth-unsigned seventh-unsigned
 155                 do
 156                         test_must_fail git verify-commit --raw $commit 2>actual &&
 157                         ! grep "GOODSIG" actual &&
 158                         ! grep "BADSIG" actual &&
 159                         echo $commit OK || exit 1
 160                 done
 161         ) &&
 162         (
 163                 for commit in eighth-signed-alt
 164                 do
 165                         git verify-commit --raw $commit 2>actual &&
 166                         grep "GOODSIG" actual &&
 167                         ! grep "BADSIG" actual &&
 168                         grep "TRUST_UNDEFINED" actual &&
 169                         echo $commit OK || exit 1
 170                 done
 171         )
 172 '
 173
 174 test_expect_success GPG 'proper header is used for hash algorithm' '
 175         git cat-file commit fourth-signed >output &&
 176         grep "^$(test_oid header) -----BEGIN PGP SIGNATURE-----" output
 177 '
 178
 179 test_expect_success GPG 'show signed commit with signature' '
 180         git show -s initial >commit &&
 181         git show -s --show-signature initial >show &&
 182         git verify-commit -v initial >verify.1 2>verify.2 &&
 183         git cat-file commit initial >cat &&
 184         grep -v -e "gpg: " -e "Warning: " show >show.commit &&
 185         grep -e "gpg: " -e "Warning: " show >show.gpg &&
 186         grep -v "^ " cat | grep -v "^gpgsig.* " >cat.commit &&
 187         test_cmp show.commit commit &&
 188         test_cmp show.gpg verify.2 &&
 189         test_cmp cat.commit verify.1
 190 '
 191
 192 test_expect_success GPG 'detect fudged signature' '
 193         git cat-file commit seventh-signed >raw &&
 194         sed -e "s/^seventh/7th forged/" raw >forged1 &&
 195         git hash-object -w -t commit forged1 >forged1.commit &&
 196         test_must_fail git verify-commit $(cat forged1.commit) &&
 197         git show --pretty=short --show-signature $(cat forged1.commit) >actual1 &&
 198         grep "BAD signature from" actual1 &&
 199         ! grep "Good signature from" actual1
 200 '
 201
 202 test_expect_success GPG 'detect fudged signature with NUL' '
 203         git cat-file commit seventh-signed >raw &&
 204         cat raw >forged2 &&
 205         echo Qwik | tr "Q" "\000" >>forged2 &&
 206         git hash-object --literally -w -t commit forged2 >forged2.commit &&
 207         test_must_fail git verify-commit $(cat forged2.commit) &&
 208         git show --pretty=short --show-signature $(cat forged2.commit) >actual2 &&
 209         grep "BAD signature from" actual2 &&
 210         ! grep "Good signature from" actual2
 211 '
 212
 213 test_expect_success GPG 'amending already signed commit' '
 214         git checkout -f fourth-signed^0 &&
 215         git commit --amend -S --no-edit &&
 216         git verify-commit HEAD &&
 217         git show -s --show-signature HEAD >actual &&
 218         grep "Good signature from" actual &&
 219         ! grep "BAD signature from" actual
 220 '
 221
 222 test_expect_success GPG2 'bare signature' '
 223         git verify-commit fifth-signed 2>expect &&
 224         echo >>expect &&
 225         git log -1 --format="%GG" fifth-signed >actual &&
 226         test_cmp expect actual
 227 '
 228
 229 test_expect_success GPG 'show good signature with custom format' '
 230         cat >expect <<-\EOF &&
 231         G
 232         ultimate
 233         13B6F51ECDDE430D
 234         C O Mitter <committer@example.com>
 235         73D758744BE721698EC54E8713B6F51ECDDE430D
 236         73D758744BE721698EC54E8713B6F51ECDDE430D
 237         EOF
 238         git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" sixth-signed >actual &&
 239         test_cmp expect actual
 240 '
 241
 242 test_expect_success GPG 'show bad signature with custom format' '
 243         cat >expect <<-\EOF &&
 244         B
 245         undefined
 246         13B6F51ECDDE430D
 247         C O Mitter <committer@example.com>
 248
 249
 250         EOF
 251         git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" $(cat forged1.commit) >actual &&
 252         test_cmp expect actual
 253 '
 254
 255 test_expect_success GPG 'show untrusted signature with custom format' '
 256         cat >expect <<-\EOF &&
 257         U
 258         undefined
 259         65A0EEA02E30CAD7
 260         Eris Discordia <discord@example.net>
 261         F8364A59E07FFE9F4D63005A65A0EEA02E30CAD7
 262         D4BE22311AD3131E5EDA29A461092E85B7227189
 263         EOF
 264         git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual &&
 265         test_cmp expect actual
 266 '
 267
 268 test_expect_success GPG 'show untrusted signature with undefined trust level' '
 269         cat >expect <<-\EOF &&
 270         U
 271         undefined
 272         65A0EEA02E30CAD7
 273         Eris Discordia <discord@example.net>
 274         F8364A59E07FFE9F4D63005A65A0EEA02E30CAD7
 275         D4BE22311AD3131E5EDA29A461092E85B7227189
 276         EOF
 277         git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual &&
 278         test_cmp expect actual
 279 '
 280
 281 test_expect_success GPG 'show untrusted signature with ultimate trust level' '
 282         cat >expect <<-\EOF &&
 283         G
 284         ultimate
 285         13B6F51ECDDE430D
 286         C O Mitter <committer@example.com>
 287         73D758744BE721698EC54E8713B6F51ECDDE430D
 288         73D758744BE721698EC54E8713B6F51ECDDE430D
 289         EOF
 290         git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" sixth-signed >actual &&
 291         test_cmp expect actual
 292 '
 293
 294 test_expect_success GPG 'show unknown signature with custom format' '
 295         cat >expect <<-\EOF &&
 296         E
 297         undefined
 298         65A0EEA02E30CAD7
 299
 300
 301
 302         EOF
 303         GNUPGHOME="$GNUPGHOME_NOT_USED" git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual &&
 304         test_cmp expect actual
 305 '
 306
 307 test_expect_success GPG 'show lack of signature with custom format' '
 308         cat >expect <<-\EOF &&
 309         N
 310         undefined
 311
 312
 313
 314
 315         EOF
 316         git log -1 --format="%G?%n%GT%n%GK%n%GS%n%GF%n%GP" seventh-unsigned >actual &&
 317         test_cmp expect actual
 318 '
 319
 320 test_expect_success GPG 'log.showsignature behaves like --show-signature' '
 321         test_config log.showsignature true &&
 322         git show initial >actual &&
 323         grep "gpg: Signature made" actual &&
 324         grep "gpg: Good signature" actual
 325 '
 326
 327 test_expect_success GPG 'check config gpg.format values' '
 328         test_config gpg.format openpgp &&
 329         git commit -S --amend -m "success" &&
 330         test_config gpg.format OpEnPgP &&
 331         test_must_fail git commit -S --amend -m "fail"
 332 '
 333
 334 test_expect_success GPG 'detect fudged commit with double signature' '
 335         sed -e "/gpgsig/,/END PGP/d" forged1 >double-base &&
 336         sed -n -e "/gpgsig/,/END PGP/p" forged1 | \
 337                 sed -e "s/^$(test_oid header)//;s/^ //" | gpg --dearmor >double-sig1.sig &&
 338         gpg -o double-sig2.sig -u 29472784 --detach-sign double-base &&
 339         cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc &&
 340         sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/$(test_oid header) /;2,\$s/^/ /" \
 341                 double-combined.asc > double-gpgsig &&
 342         sed -e "/committer/r double-gpgsig" double-base >double-commit &&
 343         git hash-object -w -t commit double-commit >double-commit.commit &&
 344         test_must_fail git verify-commit $(cat double-commit.commit) &&
 345         git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual &&
 346         grep "BAD signature from" double-actual &&
 347         grep "Good signature from" double-actual
 348 '
 349
 350 test_expect_success GPG 'show double signature with custom format' '
 351         cat >expect <<-\EOF &&
 352         E
 353
 354
 355
 356
 357         EOF
 358         git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" $(cat double-commit.commit) >actual &&
 359         test_cmp expect actual
 360 '
 361
 362
 363 # NEEDSWORK: This test relies on the test_tick commit/author dates from the first
 364 # 'create signed commits' test even though it creates its own
 365 test_expect_success GPG 'verify-commit verifies multiply signed commits' '
 366         git init multiply-signed &&
 367         cd multiply-signed &&
 368         test_commit first &&
 369         echo 1 >second &&
 370         git add second &&
 371         tree=$(git write-tree) &&
 372         parent=$(git rev-parse HEAD^{commit}) &&
 373         git commit --gpg-sign -m second &&
 374         git cat-file commit HEAD &&
 375         # Avoid trailing whitespace.
 376         sed -e "s/^Q//" -e "s/^Z/ /" >commit <<-EOF &&
 377         Qtree $tree
 378         Qparent $parent
 379         Qauthor A U Thor <author@example.com> 1112912653 -0700
 380         Qcommitter C O Mitter <committer@example.com> 1112912653 -0700
 381         Qgpgsig -----BEGIN PGP SIGNATURE-----
 382         QZ
 383         Q iHQEABECADQWIQRz11h0S+chaY7FTocTtvUezd5DDQUCX/uBDRYcY29tbWl0dGVy
 384         Q QGV4YW1wbGUuY29tAAoJEBO29R7N3kMNd+8AoK1I8mhLHviPH+q2I5fIVgPsEtYC
 385         Q AKCTqBh+VabJceXcGIZuF0Ry+udbBQ==
 386         Q =tQ0N
 387         Q -----END PGP SIGNATURE-----
 388         Qgpgsig-sha256 -----BEGIN PGP SIGNATURE-----
 389         QZ
 390         Q iHQEABECADQWIQRz11h0S+chaY7FTocTtvUezd5DDQUCX/uBIBYcY29tbWl0dGVy
 391         Q QGV4YW1wbGUuY29tAAoJEBO29R7N3kMN/NEAn0XO9RYSBj2dFyozi0JKSbssYMtO
 392         Q AJwKCQ1BQOtuwz//IjU8TiS+6S4iUw==
 393         Q =pIwP
 394         Q -----END PGP SIGNATURE-----
 395         Q
 396         Qsecond
 397         EOF
 398         head=$(git hash-object -t commit -w commit) &&
 399         git reset --hard $head &&
 400         git verify-commit $head 2>actual &&
 401         grep "Good signature from" actual &&
 402         ! grep "BAD signature from" actual
 403 '
 404
 405 test_expect_success 'custom `gpg.program`' '
 406         write_script fake-gpg <<-\EOF &&
 407         args="$*"
 408
 409         # skip uninteresting options
 410         while case "$1" in
 411         --status-fd=*|--keyid-format=*) ;; # skip
 412         *) break;;
 413         esac; do shift; done
 414
 415         case "$1" in
 416         -bsau)
 417                 test -z "$LET_GPG_PROGRAM_FAIL" || {
 418                         echo "zOMG signing failed!" >&2
 419                         exit 1
 420                 }
 421                 cat >sign.file
 422                 echo "[GNUPG:] SIG_CREATED $args" >&2
 423                 echo "-----BEGIN PGP MESSAGE-----"
 424                 echo "$args"
 425                 echo "-----END PGP MESSAGE-----"
 426                 ;;
 427         --verify)
 428                 cat "$2" >verify.file
 429                 exit 0
 430                 ;;
 431         *)
 432                 echo "Unhandled args: $*" >&2
 433                 exit 1
 434                 ;;
 435         esac
 436         EOF
 437
 438         test_config gpg.program "$(pwd)/fake-gpg" &&
 439         git commit -S --allow-empty -m signed-commit &&
 440         test_path_exists sign.file &&
 441         git show --show-signature &&
 442         test_path_exists verify.file &&
 443
 444         test_must_fail env LET_GPG_PROGRAM_FAIL=1 \
 445         git commit -S --allow-empty -m must-fail 2>err &&
 446         grep zOMG err
 447 '
 448
 449 test_done