[PATCH 3/3] pull: add config option for verifySignatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Verify the signature of the tip commit when `pull.verifySignatures` is
true.  This option overrides `merge.verifySignatures` on pull, and can
be disabled with the option `--no-verify-signatures`.

Signed-off-by: Hans Jerry Illikainen <hji@xxxxxxxxxxxx>
---
 Documentation/config.txt          |  8 ++++++++
 builtin/pull.c                    | 25 +++++++++++++++++++++++++
 t/t5520-pull.sh                   | 18 ++++++++++++++++++
 t/t5573-pull-verify-signatures.sh | 32 ++++++++++++++++++++++++++++++++
 4 files changed, 83 insertions(+)

diff --git a/Documentation/config.txt b/Documentation/config.txt
index c1598ee70..0cd2bc597 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -2596,6 +2596,14 @@ pull.ff::
 	allowed (equivalent to giving the `--ff-only` option from the
 	command line). This setting overrides `merge.ff` when pulling.
 
+pull.verifySignatures::
+	Verify that the tip commit of the side branch being merged is
+	signed with a valid key, i.e. a key that has a valid uid: in the
+	default trust model, this means the signing key has been signed
+	by a trusted key. If the tip commit of the side branch is not
+	signed with a valid key, the merge is aborted. This setting
+	overrides `merge.verifySignatures` when pulling.
+
 pull.rebase::
 	When true, rebase branches on top of the fetched branch, instead
 	of merging the default branch from the default remote when "git
diff --git a/builtin/pull.c b/builtin/pull.c
index 166b777ed..791365915 100644
--- a/builtin/pull.c
+++ b/builtin/pull.c
@@ -300,6 +300,28 @@ static const char *config_get_ff(void)
 }
 
 /**
+ * If pull.verifySignatures is unset, returns NULL. If pull.verifySignatures is
+ * "true", returns "--verify-signatures". If pull.verifySignatures is "false",
+ * returns "--no-verify-signatures". Otherwise, die with an error.
+ */
+static const char *config_get_verify_signatures(void)
+{
+	const char *value;
+
+	if (git_config_get_value("pull.verifysignatures", &value))
+		return NULL;
+
+	switch (git_parse_maybe_bool(value)) {
+	case 0:
+		return "--no-verify-signatures";
+	case 1:
+		return "--verify-signatures";
+	default:
+		die(_("Invalid value for pull.verifysignatures: %s"), value);
+	}
+}
+
+/**
  * Returns the default configured value for --rebase. It first looks for the
  * value of "branch.$curr_branch.rebase", where $curr_branch is the current
  * branch, and if HEAD is detached or the configuration key does not exist,
@@ -849,6 +871,9 @@ int cmd_pull(int argc, const char **argv, const char *prefix)
 	if (!opt_ff)
 		opt_ff = xstrdup_or_null(config_get_ff());
 
+	if (!opt_verify_signatures)
+		opt_verify_signatures = xstrdup_or_null(config_get_verify_signatures());
+
 	if (opt_rebase < 0)
 		opt_rebase = config_get_rebase();
 
diff --git a/t/t5520-pull.sh b/t/t5520-pull.sh
index 59c4b778d..cdf1fd213 100755
--- a/t/t5520-pull.sh
+++ b/t/t5520-pull.sh
@@ -416,6 +416,15 @@ test_expect_success "pull --rebase warns on --verify-signatures" '
 	test_i18ngrep "ignoring --verify-signatures for rebase" err
 '
 
+test_expect_success "pull --rebase warns on pull.verifySignatures=true" '
+	test_config pull.verifySignatures true &&
+	git reset --hard before-rebase &&
+	git pull --rebase . copy 2>err &&
+	test "$(git rev-parse HEAD^)" = "$(git rev-parse copy)" &&
+	test new = "$(git show HEAD:file2)" &&
+	test_i18ngrep "ignoring --verify-signatures for rebase" err
+'
+
 test_expect_success "pull --rebase does not warn on --no-verify-signatures" '
 	git reset --hard before-rebase &&
 	git pull --rebase --no-verify-signatures . copy 2>err &&
@@ -424,6 +433,15 @@ test_expect_success "pull --rebase does not warn on --no-verify-signatures" '
 	test_i18ngrep ! "verify-signatures" err
 '
 
+test_expect_success "pull --rebase does not warn on pull.verifySignatures=false" '
+	test_config pull.verifySignatures false &&
+	git reset --hard before-rebase &&
+	git pull --rebase . copy 2>err &&
+	test "$(git rev-parse HEAD^)" = "$(git rev-parse copy)" &&
+	test new = "$(git show HEAD:file2)" &&
+	test_i18ngrep ! "verify-signatures" err
+'
+
 # add a feature branch, keep-merge, that is merged into master, so the
 # test can try preserving the merge commit (or not) with various
 # --rebase flags/pull.rebase settings.
diff --git a/t/t5573-pull-verify-signatures.sh b/t/t5573-pull-verify-signatures.sh
index 700247910..d1e8263d9 100755
--- a/t/t5573-pull-verify-signatures.sh
+++ b/t/t5573-pull-verify-signatures.sh
@@ -47,22 +47,54 @@ test_expect_success GPG 'pull unsigned commit with --verify-signatures' '
 	test_i18ngrep "does not have a GPG signature" pullerror
 '
 
+test_expect_success GPG 'pull unsigned commit with pull.verifySignatures=true' '
+	test_config pull.verifySignatures true &&
+	test_must_fail git pull --ff-only unsigned 2>pullerror &&
+	test_i18ngrep "does not have a GPG signature" pullerror
+'
+
 test_expect_success GPG 'pull commit with bad signature with --verify-signatures' '
 	test_must_fail git pull --ff-only --verify-signatures bad 2>pullerror &&
 	test_i18ngrep "has a bad GPG signature" pullerror
 '
 
+test_expect_success GPG 'pull commit with bad signature with pull.verifySignatures=true' '
+	test_config pull.verifySignatures true &&
+	test_must_fail git pull --ff-only bad 2>pullerror &&
+	test_i18ngrep "has a bad GPG signature" pullerror
+'
+
 test_expect_success GPG 'pull commit with untrusted signature with --verify-signatures' '
 	test_must_fail git pull --ff-only --verify-signatures untrusted 2>pullerror &&
 	test_i18ngrep "has an untrusted GPG signature" pullerror
 '
 
+test_expect_success GPG 'pull commit with untrusted signature with pull.verifySignatures=true' '
+	test_config pull.verifySignatures true &&
+	test_must_fail git pull --ff-only untrusted 2>pullerror &&
+	test_i18ngrep "has an untrusted GPG signature" pullerror
+'
+
+test_expect_success GPG 'pull commit with untrusted signature with pull.verifySignatures=true and merge.verifySignatures=false' '
+	test_config merge.verifySignatures false &&
+	test_config pull.verifySignatures true &&
+	test_must_fail git pull --ff-only untrusted 2>pullerror &&
+	test_i18ngrep "has an untrusted GPG signature" pullerror
+'
+
 test_expect_success GPG 'pull signed commit with --verify-signatures' '
 	git pull --verify-signatures signed >pulloutput &&
 	test_i18ngrep "has a good GPG signature" pulloutput &&
 	git checkout initial
 '
 
+test_expect_success GPG 'pull signed commit with pull.verifySignatures=true' '
+	test_config pull.verifySignatures true &&
+	git pull signed >pulloutput &&
+	test_i18ngrep "has a good GPG signature" pulloutput &&
+	git checkout initial
+'
+
 test_expect_success GPG 'pull commit with bad signature without verification' '
 	git pull --ff-only bad 2>pullerror &&
 	git checkout initial
-- 
2.11.0
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux