This patch refactors the use of verify_signed_buffer() for GPG verification to use check_signature() instead. Previously, both check_signature() and verify_signed_buffer() were used to verify signatures in various parts of Git. However, verify_signed_buffer() does not parse the GPG status message. Instead, it relies entirely on the exit code from GPG coupled with the existence of a GOODSIG string in the output buffer. Unfortunately, the mere prescience of GOODSIG does not necessarily imply a valid signature, as shown by Michał Górny [1]. verify_signed_buffer() should be reserved for internal use by check_signature() since check_signature() parses and verifies the status message. This is accomplished in this patch. Changes since v0: * Added regression tests for log-tree and fmt-merge-msg. * Fixed a bug in log-tree.c that caused "No signature" to be shown erroneously. * Fixed a similar bug in fmt-merge-msg.c. * Always invoke signature_check_clear() after check_signature(). The check function may touch the signature_check structure on failure. [1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html Hans Jerry Illikainen (2): t: increase test coverage of signature verification output gpg-interface: prefer check_signature() for GPG verification builtin/fmt-merge-msg.c | 11 ++-- gpg-interface.c | 97 +++++++++++++++++------------------ gpg-interface.h | 9 ---- log-tree.c | 34 ++++++------- t/t4202-log.sh | 106 +++++++++++++++++++++++++++++++++++++++ t/t6200-fmt-merge-msg.sh | 23 +++++++++ 6 files changed, 202 insertions(+), 78 deletions(-) -- 2.25.1.709.g558d21736a
