On Sat, Oct 20, 2018 at 9:31 PM Michał Górny <mgorny@xxxxxxxxxx> wrote: > +test_expect_success GPG 'detect fudged commit with double signature' ' > + sed -e "/gpgsig/,/END PGP/d" forged1 >double-base && > + sed -n -e "/gpgsig/,/END PGP/p" forged1 | \ > + sed -e "s/^gpgsig//;s/^ //" | gpg --dearmor >double-sig1.sig && > + gpg -o double-sig2.sig -u 29472784 --detach-sign double-base && > + cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc && > + sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/gpgsig /;2,\$s/^/ /" \ > + double-combined.asc > double-gpgsig && > + sed -e "/committer/r double-gpgsig" double-base >double-commit && > + git hash-object -w -t commit double-commit >double-commit.commit && > + test_must_fail git verify-commit $(cat double-commit.commit) && > + git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual && > + grep "BAD signature from" double-actual && > + grep "Good signature from" double-actual > +' This test fails on 'master' today for me gpg: WARNING: multiple signatures detected. Only the first will be checked. gpg: Signature made Sat Nov 3 15:13:28 2018 UTC gpg: using DSA key 13B6F51ECDDE430D gpg: issuer "committer@xxxxxxxxxxx" gpg: BAD signature from "C O Mitter <committer@xxxxxxxxxxx>" [ultimate] gpg: BAD signature from "C O Mitter <committer@xxxxxxxxxxx>" [ultimate] not ok 16 - detect fudged commit with double signature Perhaps my gpg is too old? $ gpg --version gpg (GnuPG) 2.1.15 libgcrypt 1.7.3 Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/pclouds/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 -- Duy
