On Mon, 2018-10-22 at 08:04 +0000, Michał Górny wrote: > Dnia October 20, 2018 11:57:36 PM UTC, Junio C Hamano <gitster@xxxxxxxxx> napisał(a): > > Michał Górny <mgorny@xxxxxxxxxx> writes: > > > > > GnuPG supports creating signatures consisting of multiple signature > > > packets. If such a signature is verified, it outputs all the status > > > messages for each signature separately. However, git currently does > > > > not > > > account for such scenario and gets terribly confused over getting > > > multiple *SIG statuses. > > > > > > For example, if a malicious party alters a signed commit and appends > > > a new untrusted signature, git is going to ignore the original bad > > > signature and report untrusted commit instead. However, %GK and %GS > > > format strings may still expand to the data corresponding > > > to the original signature, potentially tricking the scripts into > > > trusting the malicious commit. > > > > > > Given that the use of multiple signatures is quite rare, git does not > > > support creating them without jumping through a few hoops, and > > > > finally > > > supporting them properly would require extensive API improvement, it > > > seems reasonable to just reject them at the moment. > > > > > > Signed-off-by: Michał Górny <mgorny@xxxxxxxxxx> > > > --- > > > gpg-interface.c | 90 > > > > +++++++++++++++++++++++++++------------- > > > t/t7510-signed-commit.sh | 26 ++++++++++++ > > > 2 files changed, 87 insertions(+), 29 deletions(-) > > > > > > Changes in v4: > > > * switched to using skip_prefix(), > > > * renamed the variable to seen_exclusive_status, > > > * made the loop terminate early on first duplicate status seen. > > > > Thanks for sticking to the topic and polishing it further. Looks > > very good. > > > > Will replace. > > > > > + int seen_exclusive_status = 0; > > > + > > > + /* Iterate over all lines */ > > > + for (line = buf; *line; line = strchrnul(line+1, '\n')) { > > > + while (*line == '\n') > > > + line++; > > > + /* Skip lines that don't start with GNUPG status */ > > > + if (!skip_prefix(line, "[GNUPG:] ", &line)) > > > + continue; > > > + > > > + /* Iterate over all search strings */ > > > + for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) { > > > + if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) { > > > + if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) { > > > + if (++seen_exclusive_status > 1) > > > + goto found_duplicate_status; > > > > Very minor point but by not using pre-increment, i.e. > > > > if (seen_exclusive_status++) > > goto found_duplicate_status; > > > > you can use the expression as a "have we already seen?" boolean, > > whic may probably be more idiomatic. > > > > The patch is good in the way written as-is, and this is so minor > > that it is not worth rerolling to only update this part. > > Please don't merge it yet. I gave it some more thought and I think the loop refactoring may cause TRUST_* to override BADSIG (i.e. upgrade from 'bad' to 'untrusted'). I'm going to verify this when I get home. > I was wrong. I'm sorry about the noise. I've reverified the logic, and it correct. That is: 1) for trusted signature, only GOODSIG is emitted and 'G' is returned correctly, 2) for untrusted signature, GOODSIG is followed by TRUST_* messages, so line-wise TRUST_* check replaces the 'G' with 'U', 3) for bad signature, only BADSIG is emitted without TRUST_* messages. Furthermore, GnuPG documentation confirms that TRUST_* is only emitted for good signatures [1]. [1]:https://github.com/gpg/gnupg/blob/master/doc/DETAILS#trust_ -- Best regards, Michał Górny
Attachment:
signature.asc
Description: This is a digitally signed message part