[PATCH 1/1] verify-tag/verify-commit should exit unsuccessfully when signature is not trusted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

me and my colleague are struggling with automation of verifying git
repositories and we have encountered that git verify-commit and
verify-tag accepts untrusted signatures and exit successfully.

We have done some investigation of the GPG verification changes in git
repository which I includes in this patch message. GPG results
`TRUST_NEVER` and `TRUST_UNDEFINED` in raw output is treated as
untrusted in git (U) and should not be accepted in verify-commit and
verify-tag command.


In 434060ec6d verify-tag and verify-commit was centralized into
check_signature function and good (G) and untrusted (U) signatures were
marked as valid and exited successfully. In this commit it is
incorrectly stated that this behavior is adopted from older verify-tag
function however original verify-tag behavior was to return exit code
from gpg process itself (removed in a4cc18f29).

Also rejecting untrusted (U) signature is the pull/merge with
--verify-signatures behavior (defined in builtin/merge.c cmd_merge
function and presented in eb307ae7bb).

The behavior of merge/pull --verify-signatures and
verify-commit/verify-tag should be the same.


With regards,
Vojtech Myslivec and Karel Koci

From c9c7b555da284c4f67fe36dc95d592644089544a Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@xxxxxx>
Date: Tue, 31 Jul 2018 20:32:32 +0200
Subject: [PATCH] gpg-interface: Do not accept untrusted signatures

In 434060ec6d verify-tag and verify-commit was centralized into
check_signature function and good (G) and untrusted (U) signatures were
marked as valid and exited successfully. In this commit it is
incorrectly stated that this behavior is adopted from older verify-tag
function however original verify-tag behavior was to return exit code
from gpg process itself (removed in a4cc18f29).

Also rejecting untrusted (U) signature is the pull/merge with
--verify-signatures behavior (defined in builtin/merge.c cmd_merge
function and presented in eb307ae7bb).

The behavior of merge/pull --verify-signatures and
verify-commit/verify-tag should be the same.
---
 gpg-interface.c          | 2 +-
 t/t7030-verify-tag.sh    | 4 ++--
 t/t7510-signed-commit.sh | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/gpg-interface.c b/gpg-interface.c
index 09ddfbc26..83adc7d12 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -86,7 +86,7 @@ int check_signature(const char *payload, size_t plen, const char *signature,
 	strbuf_release(&gpg_status);
 	strbuf_release(&gpg_output);
 
-	return sigc->result != 'G' && sigc->result != 'U';
+	return sigc->result != 'G';
 }
 
 void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh
index 291a1e2b0..d6f77c443 100755
--- a/t/t7030-verify-tag.sh
+++ b/t/t7030-verify-tag.sh
@@ -63,7 +63,7 @@ test_expect_success GPG 'verify and show signatures' '
 	(
 		for tag in eighth-signed-alt
 		do
-			git verify-tag $tag 2>actual &&
+			test_must_fail git verify-tag $tag 2>actual &&
 			grep "Good signature from" actual &&
 			! grep "BAD signature from" actual &&
 			grep "not certified" actual &&
@@ -103,7 +103,7 @@ test_expect_success GPG 'verify signatures with --raw' '
 	(
 		for tag in eighth-signed-alt
 		do
-			git verify-tag --raw $tag 2>actual &&
+			test_must_fail git verify-tag --raw $tag 2>actual &&
 			grep "GOODSIG" actual &&
 			! grep "BADSIG" actual &&
 			grep "TRUST_UNDEFINED" actual &&
diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
index 6e2015ed9..5cb388cb6 100755
--- a/t/t7510-signed-commit.sh
+++ b/t/t7510-signed-commit.sh
@@ -89,8 +89,8 @@ test_expect_success GPG 'verify and show signatures' '
 	)
 '
 
-test_expect_success GPG 'verify-commit exits success on untrusted signature' '
-	git verify-commit eighth-signed-alt 2>actual &&
+test_expect_success GPG 'verify-commit exits unsuccessfully on untrusted signature' '
+	test_must_fail git verify-commit eighth-signed-alt 2>actual &&
 	grep "Good signature from" actual &&
 	! grep "BAD signature from" actual &&
 	grep "not certified" actual
@@ -118,7 +118,7 @@ test_expect_success GPG 'verify signatures with --raw' '
 	(
 		for commit in eighth-signed-alt
 		do
-			git verify-commit --raw $commit 2>actual &&
+			test_must_fail git verify-commit --raw $commit 2>actual &&
 			grep "GOODSIG" actual &&
 			! grep "BADSIG" actual &&
 			grep "TRUST_UNDEFINED" actual &&
-- 
2.18.0

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux