On Thu, Aug 09, 2018 at 11:40:27AM -0700, Junio C Hamano wrote: > -- >8 -- > Subject: [PATCH] gpg-interface: propagate exit status from gpg back to the callers > > When gpg-interface API unified support for signature verification > codepaths for signed tags and signed commits in mid 2015 at around > v2.6.0-rc0~114, we accidentally loosened the GPG signature > verification. > > Before that change, signed commits were verified by looking for > "G"ood signature from GPG, while ignoring the exit status of "gpg > --verify" process, while signed tags were verified by simply passing > the exit status of "gpg --verify" through. The unified code we > currently have ignores the exit status of "gpg --verify" and returns > successful verification when the signature matches an unexpired key > regardless of the trust placed on the key (i.e. in addition to "G"ood > ones, we accept "U"ntrusted ones). > > Make these commands signal failure with their exit status when > underlying "gpg --verify" (or the custom command specified by > "gpg.program" configuration variable) does so. This essentially > changes their behaviour in a backward incompatible way to reject > signatures that have been made with untrusted keys even if they > correctly verify, as that is how "gpg --verify" behaves. > > Note that the code still overrides a zero exit status obtained from > "gpg" (or gpg.program) if the output does not say the signature is > good or computes correctly but made with untrusted keys, to catch > a poorly written wrapper around "gpg" the user may give us. > > We could exclude "U"ntrusted support from this fallback code, but > that would be making two backward incompatible changes in a single > commit, so let's avoid that for now. A follow-up change could do so > if desired. This looks great to me. Thanks. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature