This patch refactors the use of verify_signed_buffer() for GPG verification to use check_signature() instead. Previously, both check_signature() and verify_signed_buffer() were used to verify signatures in various parts of Git. However, verify_signed_buffer() does not parse the GPG status message. Instead, it relies entirely on the exit code from GPG coupled with the existence of a GOODSIG string in the output buffer. Unfortunately, the mere prescience of GOODSIG does not necessarily imply a valid signature, as shown by Michał Górny [1]. verify_signed_buffer() should be reserved for internal use by check_signature() since check_signature() parses and verifies the status message. This is accomplished in this patch. Note that the patch is prepared for the next branch. I'm not sure if that's appropriate -- but it seemed sensible since I've already touched code in gpg-interface.c that's been merged in next. [1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html Hans Jerry Illikainen (1): gpg-interface: prefer check_signature() for GPG verification builtin/fmt-merge-msg.c | 11 +++-- gpg-interface.c | 97 +++++++++++++++++++++-------------------- gpg-interface.h | 9 ---- log-tree.c | 30 +++++++------ 4 files changed, 72 insertions(+), 75 deletions(-) -- 2.24.GIT
