Re: [PATCH v2 9/9] pull: add the --gpg-sign option.

Junio C Hamano <gitster@xxxxxxxxx> · Mon, 27 Jan 2014 15:31:36 -0800

"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes:

> git merge already allows us to sign commits, and git rebase has recently
> learned how to do so as well.  Teach git pull to parse the -S/--gpg-sign
> option and pass this along to merge or rebase, as appropriate.
>
> Signed-off-by: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx>
> ---
>  git-pull.sh | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/git-pull.sh b/git-pull.sh
> index 0a5aa2c..4164dac 100755
> --- a/git-pull.sh
> +++ b/git-pull.sh
> @@ -138,6 +138,15 @@ do
>  	--no-verify-signatures)
>  		verify_signatures=--no-verify-signatures
>  		;;
> +	--gpg-sign|-S)
> +		gpg_sign_args=-S
> +		;;
> +	--gpg-sign=*)
> +		gpg_sign_args="-S${1#--gpg-sign=}"
> +		;;

Here, $1 is taken from the end-user without any extra quoting...

> +	-S*)
> +		gpg_sign_args="-S${1#-S}"
> +		;;
>  	--d|--dr|--dry|--dry-|--dry-r|--dry-ru|--dry-run)
>  		dry_run=--dry-run
>  		;;
> @@ -305,11 +314,13 @@ merge_name=$(git fmt-merge-msg $log_arg <"$GIT_DIR/FETCH_HEAD") || exit
>  case "$rebase" in
>  true)
>  	eval="git-rebase $diffstat $strategy_args $merge_args $rebase_args $verbosity"
> +	eval="$eval $gpg_sign_args"

... but here it is used as if it is properly quoted so that later
"eval $eval" will take it as a single argument.

	git pull --gpg-sign='foo bar'

will probably ask the command to use 'foo' as the signer key id,
with 'bar' as an extra, unknown token on the command line of the
underlying 'git merge', I suspect.  A "git rev-parse --sq-quote"
in the earlier hunk may be all it takes to fix it.

Thanks.

>  	eval="$eval --onto $merge_head ${oldremoteref:-$merge_head}"
>  	;;
>  *)
>  	eval="git-merge $diffstat $no_commit $verify_signatures $edit $squash $no_ff $ff_only"
> -	eval="$eval  $log_arg $strategy_args $merge_args $verbosity $progress"
> +	eval="$eval $log_arg $strategy_args $merge_args $verbosity $progress"
> +	eval="$eval $gpg_sign_args"
>  	eval="$eval \"\$merge_name\" HEAD $merge_head"
>  	;;
>  esac
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html