Re: [PATCH v4] gpg-interface.c: detect and reject multiple signatures on commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2018-11-03 at 16:17 +0100, Duy Nguyen wrote:
> On Sat, Oct 20, 2018 at 9:31 PM Michał Górny <mgorny@xxxxxxxxxx> wrote:
> > +test_expect_success GPG 'detect fudged commit with double signature' '
> > +       sed -e "/gpgsig/,/END PGP/d" forged1 >double-base &&
> > +       sed -n -e "/gpgsig/,/END PGP/p" forged1 | \
> > +               sed -e "s/^gpgsig//;s/^ //" | gpg --dearmor >double-sig1.sig &&
> > +       gpg -o double-sig2.sig -u 29472784 --detach-sign double-base &&
> > +       cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc &&
> > +       sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/gpgsig /;2,\$s/^/ /" \
> > +               double-combined.asc > double-gpgsig &&
> > +       sed -e "/committer/r double-gpgsig" double-base >double-commit &&
> > +       git hash-object -w -t commit double-commit >double-commit.commit &&
> > +       test_must_fail git verify-commit $(cat double-commit.commit) &&
> > +       git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual &&
> > +       grep "BAD signature from" double-actual &&
> > +       grep "Good signature from" double-actual
> > +'
> 
> This test fails on 'master' today for me
> 
> gpg: WARNING: multiple signatures detected.  Only the first will be checked.
> gpg: Signature made Sat Nov  3 15:13:28 2018 UTC
> gpg:                using DSA key 13B6F51ECDDE430D
> gpg:                issuer "committer@xxxxxxxxxxx"
> gpg: BAD signature from "C O Mitter <committer@xxxxxxxxxxx>" [ultimate]
> gpg: BAD signature from "C O Mitter <committer@xxxxxxxxxxx>" [ultimate]
> not ok 16 - detect fudged commit with double signature
> 
> Perhaps my gpg is too old?
> 
> $ gpg --version
> gpg (GnuPG) 2.1.15
> libgcrypt 1.7.3
> Copyright (C) 2016 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Home: /home/pclouds/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>         CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2

Perhaps this is indeed specific to this version of GnuPG.  The tests
pass for me with both 1.4.21 and 2.2.10.  We don't have 2.1* in Gentoo
anymore.

-- 
Best regards,
Michał Górny

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux