Hello, me and my colleague are struggling with automation of verifying git repositories and we have encountered that git verify-commit and verify-tag accepts untrusted signatures and exit successfully. We have done some investigation of the GPG verification changes in git repository which I includes in this patch message. GPG results `TRUST_NEVER` and `TRUST_UNDEFINED` in raw output is treated as untrusted in git (U) and should not be accepted in verify-commit and verify-tag command. In 434060ec6d verify-tag and verify-commit was centralized into check_signature function and good (G) and untrusted (U) signatures were marked as valid and exited successfully. In this commit it is incorrectly stated that this behavior is adopted from older verify-tag function however original verify-tag behavior was to return exit code from gpg process itself (removed in a4cc18f29). Also rejecting untrusted (U) signature is the pull/merge with --verify-signatures behavior (defined in builtin/merge.c cmd_merge function and presented in eb307ae7bb). The behavior of merge/pull --verify-signatures and verify-commit/verify-tag should be the same. With regards, Vojtech Myslivec and Karel Koci
From c9c7b555da284c4f67fe36dc95d592644089544a Mon Sep 17 00:00:00 2001 From: Vojtech Myslivec <vojtech.myslivec@xxxxxx> Date: Tue, 31 Jul 2018 20:32:32 +0200 Subject: [PATCH] gpg-interface: Do not accept untrusted signatures In 434060ec6d verify-tag and verify-commit was centralized into check_signature function and good (G) and untrusted (U) signatures were marked as valid and exited successfully. In this commit it is incorrectly stated that this behavior is adopted from older verify-tag function however original verify-tag behavior was to return exit code from gpg process itself (removed in a4cc18f29). Also rejecting untrusted (U) signature is the pull/merge with --verify-signatures behavior (defined in builtin/merge.c cmd_merge function and presented in eb307ae7bb). The behavior of merge/pull --verify-signatures and verify-commit/verify-tag should be the same. --- gpg-interface.c | 2 +- t/t7030-verify-tag.sh | 4 ++-- t/t7510-signed-commit.sh | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gpg-interface.c b/gpg-interface.c index 09ddfbc26..83adc7d12 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -86,7 +86,7 @@ int check_signature(const char *payload, size_t plen, const char *signature, strbuf_release(&gpg_status); strbuf_release(&gpg_output); - return sigc->result != 'G' && sigc->result != 'U'; + return sigc->result != 'G'; } void print_signature_buffer(const struct signature_check *sigc, unsigned flags) diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh index 291a1e2b0..d6f77c443 100755 --- a/t/t7030-verify-tag.sh +++ b/t/t7030-verify-tag.sh @@ -63,7 +63,7 @@ test_expect_success GPG 'verify and show signatures' ' ( for tag in eighth-signed-alt do - git verify-tag $tag 2>actual && + test_must_fail git verify-tag $tag 2>actual && grep "Good signature from" actual && ! grep "BAD signature from" actual && grep "not certified" actual && @@ -103,7 +103,7 @@ test_expect_success GPG 'verify signatures with --raw' ' ( for tag in eighth-signed-alt do - git verify-tag --raw $tag 2>actual && + test_must_fail git verify-tag --raw $tag 2>actual && grep "GOODSIG" actual && ! grep "BADSIG" actual && grep "TRUST_UNDEFINED" actual && diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh index 6e2015ed9..5cb388cb6 100755 --- a/t/t7510-signed-commit.sh +++ b/t/t7510-signed-commit.sh @@ -89,8 +89,8 @@ test_expect_success GPG 'verify and show signatures' ' ) ' -test_expect_success GPG 'verify-commit exits success on untrusted signature' ' - git verify-commit eighth-signed-alt 2>actual && +test_expect_success GPG 'verify-commit exits unsuccessfully on untrusted signature' ' + test_must_fail git verify-commit eighth-signed-alt 2>actual && grep "Good signature from" actual && ! grep "BAD signature from" actual && grep "not certified" actual @@ -118,7 +118,7 @@ test_expect_success GPG 'verify signatures with --raw' ' ( for commit in eighth-signed-alt do - git verify-commit --raw $commit 2>actual && + test_must_fail git verify-commit --raw $commit 2>actual && grep "GOODSIG" actual && ! grep "BADSIG" actual && grep "TRUST_UNDEFINED" actual && -- 2.18.0
Attachment:
signature.asc
Description: OpenPGP digital signature
