While debugging the breakages introduced by hi/gpg-prefer-check-signature, I noticed that the GPG prereq was not available on Windows, even if Git for Windows' SDK comes with a fully functional GPG2. The fix was easy, but finding out what was going on was not, so for good measure, the fix is accompanied by a patch that will hopefully make future investigations into GPG-related problems much, much easier. Changes since v1: * The prereqs are now lazy ones. * A new patch was introduced to make tracing via -x work even with those inter-dependent prereqs. * The test-signing's stdout is redirected to /dev/null because it is unreadable and unhelpful binary gibberish, anyway. (This imitates Peff's patch.) Johannes Schindelin (5): tests(gpg): allow the gpg-agent to start on Windows t/lib-gpg.sh: stop pretending to be a stand-alone script tests: turn GPG, GPGSM and RFC1991 into lazy prereqs tests: do not let lazy prereqs inside `test_expect_*` turn off tracing tests: increase the verbosity of the GPG-related prereqs t/lib-gpg.sh | 110 ++++++++++++++++++++++++++--------------------- t/t0000-basic.sh | 13 ++++++ t/test-lib.sh | 6 ++- 3 files changed, 77 insertions(+), 52 deletions(-) base-commit: 30e9940356dc67959877f4b2417da33ebdefbb79 Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-728%2Fdscho%2Fci-windows-gpg-v2 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-728/dscho/ci-windows-gpg-v2 Pull-Request: https://github.com/git/git/pull/728 Range-diff vs v1: 1: 287a21f1033 = 1: 287a21f1033 tests(gpg): allow the gpg-agent to start on Windows -: ----------- > 2: c1811d54190 t/lib-gpg.sh: stop pretending to be a stand-alone script 2: dd26cb05a37 ! 3: 85457a7b618 tests(gpg): increase verbosity to allow debugging @@ -1,21 +1,36 @@ Author: Johannes Schindelin <johannes.schindelin@xxxxxx> - tests(gpg): increase verbosity to allow debugging + tests: turn GPG, GPGSM and RFC1991 into lazy prereqs - Especially when debugging a test failure that can only be reproduced in - the CI build (e.g. when the developer has no access to a macOS machine - other than running the tests on a macOS build agent), output should not - be suppressed. + The code to set those prereqs is executed completely outside of any + `test_eval_` block. As a consequence, its output had to be suppressed so + that it does not clutter the output of a regular test script run. - In the instance of `hi/gpg-prefer-check-signature`, where one - GPG-related test failed for no apparent reason, the entire output of - `gpg` and `gpgsm` was suppressed, even in verbose mode, leaving - interested readers no clue what was going wrong. + Unfortunately, the output *stays* suppressed even when the `--verbose` + option is in effect. - Let's fix this by redirecting the output not to `/dev/null`, but to the - file descriptors that may, or may not, be redirected via - `--verbose-log`. For good measure, also turn on tracing if the user - asked for it, and prefix it with a helpful info message. + This hid important output when debugging why the GPG prereq was not + enabled in the Windows part of our CI builds. + + In preparation for fixing that, let's move all of this code into lazy + prereqs. + + The only slightly tricky part is the global environment variable + `GNUPGHOME`. Originally, it was configured only when we verified that + there is a `gpg` in the `PATH` that we can use. This is now no longer + possible, as lazy prereqs are evaluated in a subshell that changes the + working directory to a temporary one. Therefore, we simply _always_ set + that environment variable: it does not hurt anything because it does not + indicate the presence of a working GPG. + + Side note: it was quite tempting to use a hack that is possible because + we do not validate what is passed to `test_lazy_prereq` (and it is + therefore possible to "break out" of the lazy_prereq subshell: + + test_lazy_prereq GPG '...) && GNUPGHOME=... && (...' + + However, this is rather tricksy hobbitses code, and the current patch is + _much_ easier to understand. Signed-off-by: Johannes Schindelin <johannes.schindelin@xxxxxx> @@ -23,67 +38,128 @@ --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ +-gpg_version=$(gpg --version 2>&1) +-if test $? != 127 +-then ++# We always set GNUPGHOME, even if no usable GPG was found, as ++# ++# - It does not hurt, and ++# ++# - we cannot set global environment variables in lazy prereqs because they are ++# executed in an eval'ed subshell that changes the working directory to a ++# temporary one. ++ ++GNUPGHOME="$PWD/gpghome" ++export GNUPGHOME ++ ++test_lazy_prereq GPG ' ++ gpg_version=$(gpg --version 2>&1) ++ test $? != 127 || exit 1 ++ + # As said here: http://www.gnupg.org/documentation/faqs.html#q6.19 +- # the gpg version 1.0.6 didn't parse trust packets correctly, so for ++ # the gpg version 1.0.6 did not parse trust packets correctly, so for + # that version, creation of signed tags using the generated key fails. + case "$gpg_version" in +- 'gpg (GnuPG) 1.0.6'*) ++ "gpg (GnuPG) 1.0.6"*) say "Your version of gpg (1.0.6) is too buggy for testing" ++ exit 1 ;; *) -+ say_color info >&4 "Trying to set up GPG" -+ want_trace && set -x # Available key info: - # * Type DSA and Elgamal, size 2048 bits, no expiration date, - # name and email: C O Mitter <committer@xxxxxxxxxxx> @@ - chmod 0700 ./gpghome && - GNUPGHOME="$PWD/gpghome" && - export GNUPGHOME && -- (gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) && -- gpg --homedir "${GNUPGHOME}" 2>/dev/null --import \ -- "$TEST_DIRECTORY"/lib-gpg/keyring.gpg && -- gpg --homedir "${GNUPGHOME}" 2>/dev/null --import-ownertrust \ -- "$TEST_DIRECTORY"/lib-gpg/ownertrust && -- gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null 2>&1 \ + # To export ownertrust: + # gpg --homedir /tmp/gpghome --export-ownertrust \ + # > lib-gpg/ownertrust +- mkdir ./gpghome && +- chmod 0700 ./gpghome && +- GNUPGHOME="$PWD/gpghome" && +- export GNUPGHOME && ++ mkdir "$GNUPGHOME" && ++ chmod 0700 "$GNUPGHOME" && + (gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) && + gpg --homedir "${GNUPGHOME}" 2>/dev/null --import \ + "$TEST_DIRECTORY"/lib-gpg/keyring.gpg && + gpg --homedir "${GNUPGHOME}" 2>/dev/null --import-ownertrust \ + "$TEST_DIRECTORY"/lib-gpg/ownertrust && + gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null 2>&1 \ - --sign -u committer@xxxxxxxxxxx && -+ (gpgconf --kill gpg-agent >&3 2>&4 || : ) && -+ gpg --homedir "${GNUPGHOME}" --import \ -+ "$TEST_DIRECTORY"/lib-gpg/keyring.gpg >&3 2>&4 && -+ gpg --homedir "${GNUPGHOME}" --import-ownertrust \ -+ "$TEST_DIRECTORY"/lib-gpg/ownertrust >&3 2>&4 && -+ gpg --homedir "${GNUPGHOME}" </dev/null \ -+ --sign -u committer@xxxxxxxxxxx >&3 2>&4 && - test_set_prereq GPG && - # Available key info: - # * see t/lib-gpg/gpgsm-gen-key.in -@@ - # gpgsm --homedir /tmp/gpghome/ \ - # -o t/lib-gpg/gpgsm_cert.p12 \ - # --export-secret-key-p12 "committer@xxxxxxxxxxx" +- test_set_prereq GPG && +- # Available key info: +- # * see t/lib-gpg/gpgsm-gen-key.in +- # To generate new certificate: +- # * no passphrase +- # gpgsm --homedir /tmp/gpghome/ \ +- # -o /tmp/gpgsm.crt.user \ +- # --generate-key \ +- # --batch t/lib-gpg/gpgsm-gen-key.in +- # To import certificate: +- # gpgsm --homedir /tmp/gpghome/ \ +- # --import /tmp/gpgsm.crt.user +- # To export into a .p12 we can later import: +- # gpgsm --homedir /tmp/gpghome/ \ +- # -o t/lib-gpg/gpgsm_cert.p12 \ +- # --export-secret-key-p12 "committer@xxxxxxxxxxx" - echo | gpgsm --homedir "${GNUPGHOME}" 2>/dev/null \ -+ echo | gpgsm --homedir "${GNUPGHOME}" >&3 2>&4 \ - --passphrase-fd 0 --pinentry-mode loopback \ - --import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 && - +- --passphrase-fd 0 --pinentry-mode loopback \ +- --import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 && +- - gpgsm --homedir "${GNUPGHOME}" 2>/dev/null -K | -+ gpgsm --homedir "${GNUPGHOME}" -K 2>&4 | - grep fingerprint: | - cut -d" " -f4 | - tr -d '\n' >"${GNUPGHOME}/trustlist.txt" && - - echo " S relax" >>"${GNUPGHOME}/trustlist.txt" && +- grep fingerprint: | +- cut -d" " -f4 | +- tr -d '\n' >"${GNUPGHOME}/trustlist.txt" && +- +- echo " S relax" >>"${GNUPGHOME}/trustlist.txt" && - echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \ - -u committer@xxxxxxxxxxx -o /dev/null --sign - 2>&1 && -+ echo hello | gpgsm --homedir "${GNUPGHOME}" >&3 2>&4 \ -+ -u committer@xxxxxxxxxxx -o /dev/null --sign - && - test_set_prereq GPGSM +- test_set_prereq GPGSM ++ --sign -u committer@xxxxxxxxxxx ;; esac - fi +-fi ++' ++ ++test_lazy_prereq GPGSM ' ++ test_have_prereq GPG && ++ # Available key info: ++ # * see t/lib-gpg/gpgsm-gen-key.in ++ # To generate new certificate: ++ # * no passphrase ++ # gpgsm --homedir /tmp/gpghome/ \ ++ # -o /tmp/gpgsm.crt.user \ ++ # --generate-key \ ++ # --batch t/lib-gpg/gpgsm-gen-key.in ++ # To import certificate: ++ # gpgsm --homedir /tmp/gpghome/ \ ++ # --import /tmp/gpgsm.crt.user ++ # To export into a .p12 we can later import: ++ # gpgsm --homedir /tmp/gpghome/ \ ++ # -o t/lib-gpg/gpgsm_cert.p12 \ ++ # --export-secret-key-p12 "committer@xxxxxxxxxxx" ++ echo | gpgsm --homedir "${GNUPGHOME}" 2>/dev/null \ ++ --passphrase-fd 0 --pinentry-mode loopback \ ++ --import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 && ++ ++ gpgsm --homedir "${GNUPGHOME}" 2>/dev/null -K | ++ grep fingerprint: | ++ cut -d" " -f4 | ++ tr -d "\\n" >"${GNUPGHOME}/trustlist.txt" && ++ ++ echo " S relax" >>"${GNUPGHOME}/trustlist.txt" && ++ echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \ ++ -u committer@xxxxxxxxxxx -o /dev/null --sign - 2>&1 ++' - if test_have_prereq GPG && +-if test_have_prereq GPG && - echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null 2>&1 -+ echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >&3 2>&4 - then - test_set_prereq RFC1991 - fi -+want_trace && set +x +-then +- test_set_prereq RFC1991 +-fi ++test_lazy_prereq RFC1991 ' ++ test_have_prereq GPG && ++ echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null 2>&1 ++' sanitize_pgp() { perl -ne ' -: ----------- > 4: 0767c8b77c8 tests: do not let lazy prereqs inside `test_expect_*` turn off tracing -: ----------- > 5: 5e89b512513 tests: increase the verbosity of the GPG-related prereqs -- gitgitgadget