Re: [PATCH v4] gpg-interface.c: detect and reject multiple signatures on commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2018-10-22 at 08:04 +0000, Michał Górny wrote:
> Dnia October 20, 2018 11:57:36 PM UTC, Junio C Hamano <gitster@xxxxxxxxx> napisał(a):
> > Michał Górny <mgorny@xxxxxxxxxx> writes:
> > 
> > > GnuPG supports creating signatures consisting of multiple signature
> > > packets.  If such a signature is verified, it outputs all the status
> > > messages for each signature separately.  However, git currently does
> > 
> > not
> > > account for such scenario and gets terribly confused over getting
> > > multiple *SIG statuses.
> > > 
> > > For example, if a malicious party alters a signed commit and appends
> > > a new untrusted signature, git is going to ignore the original bad
> > > signature and report untrusted commit instead.  However, %GK and %GS
> > > format strings may still expand to the data corresponding
> > > to the original signature, potentially tricking the scripts into
> > > trusting the malicious commit.
> > > 
> > > Given that the use of multiple signatures is quite rare, git does not
> > > support creating them without jumping through a few hoops, and
> > 
> > finally
> > > supporting them properly would require extensive API improvement, it
> > > seems reasonable to just reject them at the moment.
> > > 
> > > Signed-off-by: Michał Górny <mgorny@xxxxxxxxxx>
> > > ---
> > >  gpg-interface.c          | 90
> > 
> > +++++++++++++++++++++++++++-------------
> > >  t/t7510-signed-commit.sh | 26 ++++++++++++
> > >  2 files changed, 87 insertions(+), 29 deletions(-)
> > > 
> > > Changes in v4:
> > > * switched to using skip_prefix(),
> > > * renamed the variable to seen_exclusive_status,
> > > * made the loop terminate early on first duplicate status seen.
> > 
> > Thanks for sticking to the topic and polishing it further.  Looks
> > very good.  
> > 
> > Will replace.
> > 
> > > +	int seen_exclusive_status = 0;
> > > +
> > > +	/* Iterate over all lines */
> > > +	for (line = buf; *line; line = strchrnul(line+1, '\n')) {
> > > +		while (*line == '\n')
> > > +			line++;
> > > +		/* Skip lines that don't start with GNUPG status */
> > > +		if (!skip_prefix(line, "[GNUPG:] ", &line))
> > > +			continue;
> > > +
> > > +		/* Iterate over all search strings */
> > > +		for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) {
> > > +			if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) {
> > > +				if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) {
> > > +					if (++seen_exclusive_status > 1)
> > > +						goto found_duplicate_status;
> > 
> > Very minor point but by not using pre-increment, i.e.
> > 
> > 		if (seen_exclusive_status++)
> > 			goto found_duplicate_status;
> > 
> > you can use the expression as a "have we already seen?" boolean,
> > whic may probably be more idiomatic.
> > 
> > The patch is good in the way written as-is, and this is so minor
> > that it is not worth rerolling to only update this part.
> 
> Please don't merge it yet. I gave it some more thought and I think the loop refactoring may cause TRUST_* to override BADSIG (i.e. upgrade from 'bad' to 'untrusted'). I'm going to verify this when I get home.
> 

I was wrong.  I'm sorry about the noise.  I've reverified the logic,
and it correct.  That is:

1) for trusted signature, only GOODSIG is emitted and 'G' is returned
correctly,

2) for untrusted signature, GOODSIG is followed by TRUST_* messages,
so line-wise TRUST_* check replaces the 'G' with 'U',

3) for bad signature, only BADSIG is emitted without TRUST_* messages.

Furthermore, GnuPG documentation confirms that TRUST_* is only emitted
for good signatures [1].

[1]:https://github.com/gpg/gnupg/blob/master/doc/DETAILS#trust_

-- 
Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux