Merge operations has had support for a merge.verifySignatures config
knob for quite some time. However, there is no global option to enable
signature verification for all operations that support it. This makes
sense because only merges (and, by extent, pulls) has support for
configurable signature verifications.
However, with the upcoming introduction of signature verification for
clones, it seems reasonable to have a global option that enables
verification for all operations that support it. Otherwise, users would
have to track down and enable every *.verifySignatures knob.
This patch adds support for a global gpg.verifySignatures in
git_merge_config(). The global variant is overridden by both
merge.verifySignatures and the --(no-)verify-signatures command-line
parameter.
Signed-off-by: Hans Jerry Illikainen <hji@xxxxxxxxxxxx>
---
Documentation/config/gpg.txt | 6 ++++++
Documentation/config/merge.txt | 4 +++-
builtin/merge.c | 8 +++++---
t/t7612-merge-verify-signatures.sh | 27 +++++++++++++++++++++++++++
4 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
index d94025cb36..7bf64cff24 100644
--- a/Documentation/config/gpg.txt
+++ b/Documentation/config/gpg.txt
@@ -33,3 +33,9 @@ gpg.minTrustLevel::
* `marginal`
* `fully`
* `ultimate`
+
+gpg.verifySignatures::
+ Verify that commits are signed with a valid key for operations
+ that support signature verification. This option act as a
+ global default and can be overridden in sections specific to
+ individual operations.
diff --git a/Documentation/config/merge.txt b/Documentation/config/merge.txt
index 6a313937f8..7ff72fafc2 100644
--- a/Documentation/config/merge.txt
+++ b/Documentation/config/merge.txt
@@ -28,7 +28,9 @@ merge.ff::
merge.verifySignatures::
If true, this is equivalent to the --verify-signatures command
- line option. See linkgit:git-merge[1] for details.
+ line option. See linkgit:git-merge[1] for details. Also see
+ `gpg.verifySignatures` for a global option to enable signature
+ verification.
include::fmt-merge-msg.txt[]
diff --git a/builtin/merge.c b/builtin/merge.c
index e472f17738..539dd1dbfc 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -61,7 +61,7 @@ static const char * const builtin_merge_usage[] = {
static int show_diffstat = 1, shortlog_len = -1, squash;
static int option_commit = -1;
static int option_edit = -1;
-static int allow_trivial = 1, have_message, verify_signatures;
+static int allow_trivial = 1, have_message, verify_signatures = -1;
static int overwrite_ignore = 1;
static unsigned gpg_flags = GPG_VERIFY_SHORT | GPG_VERIFY_COMPAT;
static struct strbuf merge_msg = STRBUF_INIT;
@@ -610,6 +610,8 @@ static int git_merge_config(const char *k, const char *v, void *cb)
show_diffstat = git_config_bool(k, v);
else if (!strcmp(k, "merge.verifysignatures"))
verify_signatures = git_config_bool(k, v);
+ else if (!strcmp(k, "gpg.verifysignatures") && verify_signatures < 0)
+ verify_signatures = git_config_bool(k, v);
else if (!strcmp(k, "pull.twohead"))
return git_config_string(&pull_twohead, k, v);
else if (!strcmp(k, "pull.octopus"))
@@ -1399,7 +1401,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
if (remoteheads->next)
die(_("Can merge only exactly one commit into empty head"));
- if (verify_signatures &&
+ if (verify_signatures == 1 &&
gpg_verify_commit(&remoteheads->item->object.oid, NULL,
NULL, gpg_flags))
die(_("Signature verification failed"));
@@ -1423,7 +1425,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
usage_with_options(builtin_merge_usage,
builtin_merge_options);
- if (verify_signatures) {
+ if (verify_signatures == 1) {
for (p = remoteheads; p; p = p->next) {
if (gpg_verify_commit(&p->item->object.oid, NULL, NULL,
gpg_flags))
diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh
index a426f3a89a..10ab2fa119 100755
--- a/t/t7612-merge-verify-signatures.sh
+++ b/t/t7612-merge-verify-signatures.sh
@@ -125,6 +125,33 @@ test_expect_success GPG 'merge commit with bad signature with merge.verifySignat
git merge --no-verify-signatures $(cat forged.commit)
'
+test_expect_success GPG 'merge commit with bad signature with gpg.verifySignatures=true and --no-verify-signatures' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config gpg.verifySignatures true &&
+ git merge --no-verify-signatures $(cat forged.commit)
+'
+
+test_expect_success GPG 'merge commit with bad signature with gpg.verifySignatures=true and merge.verifySignatures=false' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config gpg.verifySignatures true &&
+ test_config merge.verifySignatures false &&
+ git merge $(cat forged.commit)
+'
+
+test_expect_success GPG 'merge commit with bad signature with clone.verifySignatures=false and gpg.verifySignatures=true' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures false &&
+ test_config gpg.verifySignatures true &&
+ git merge $(cat forged.commit)
+'
+
+test_expect_success GPG 'merge commit with bad signature with gpg.verifySignatures=true' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config gpg.verifySignatures true &&
+ test_must_fail git merge $(cat forged.commit) 2>mergeerror &&
+ test_i18ngrep "has a bad GPG signature allegedly by" mergeerror
+'
+
test_expect_success GPG 'merge unsigned commit into unborn branch' '
test_when_finished "git checkout initial" &&
git checkout --orphan unborn &&
--
2.25.0.rc1.302.gc71d20beed
