This series starts off with refactor of print_signature_buffer() to make
all output conditional based on the 'flags' parameter. The print
function is also extended to optionally show one-line summaries of
signature verifications (previously that functionality existed in
verify_merge_signature()).
The helper functions for signature verification of commits are then
refactored. The new gpg_verify_commit() function is modelled after
gpg_verify_tag(). This allows us to remove verify_merge_signature() and
the file-local run_gpg_verify() (from the verify-commit builtin). It
also allows us to change check_commit_signature() into a local function
in commit.c.
A new configuration option is also introduced, gpg.verifySignatures.
This allows users to enable signature verification for all operations
that support it. Individual operations can then use
<operation>.verifySignatures for finer-grained control.
And finally, signature verification is added to the clone builtin. It
obeys --(no-)verify-signatures, clone.verifySignatures and
gpg.verifySignatures (in decreasing order of significance).
A notable quirk with signature verification for clones is
--recurse-submodules. As mentioned in the commit message, the current
workaround is to disable signature verification for submodules by
passing --no-verify-signatures in submodule--helper.c
I'm very much open to suggestions for a better approach of dealing with
recursive clones. However, I don't think --verify-signatures from the
clone builtin should propagate to submodules, because that would break a
workflow where a user:
1. trust the hash function
2. has audited an unsigned repository at a given point
3. has added the repository at that point as a submodule
4. has signed an object in the super repository where the audited
submodule is referenced
So, I think it'd make more sense to introduce a
submodule.verifySignatures config knob to be used by both
--recurse-submodules and when the 'submodule' command is used directly.
I hope this patch series isn't too confusing/all over the place. I
wasn't sure whether the preparatory patches would have made sense in
isolation, so I opted to send it all in one go.
Hans Jerry Illikainen (5):
gpg-interface: conditionally show the result in
print_signature_buffer()
gpg-interface: support one-line summaries in print_signature_buffer()
commit: refactor signature verification helpers
merge: verify signatures if gpg.verifySignatures is true
clone: support signature verification
Documentation/config.txt | 2 +
Documentation/config/clone.txt | 3 +
Documentation/config/gpg.txt | 6 +
Documentation/config/merge.txt | 4 +-
Documentation/git-clone.txt | 4 +
builtin/clone.c | 46 ++++
builtin/merge.c | 22 +-
builtin/pull.c | 18 +-
builtin/submodule--helper.c | 6 +
builtin/tag.c | 4 +-
builtin/verify-commit.c | 26 +-
builtin/verify-tag.c | 4 +-
commit.c | 58 ++--
commit.h | 31 +--
gpg-interface.c | 43 ++-
gpg-interface.h | 11 +-
pretty.c | 3 +-
t/t5619-clone-verify-signatures.sh | 411 +++++++++++++++++++++++++++++
t/t7612-merge-verify-signatures.sh | 27 ++
tag.c | 19 +-
20 files changed, 633 insertions(+), 115 deletions(-)
create mode 100644 Documentation/config/clone.txt
create mode 100755 t/t5619-clone-verify-signatures.sh
--
2.25.0.rc1.302.gc71d20beed
