On Wed, 27 Oct 2021 at 09:06, Fabian Stelzer <fs@xxxxxxxxxxxx> wrote: > This series adds key lifetime validity checks by parsing commit/tag > dates from the paylod and passing them to the ssh-keygen operations. > > changes since v1: > - struct signature_check is now used to input payload data into > check_function > - payload metadata parsing is completely internal to check_signature. > the caller only need to set the payload type in the sigc struct > - small nits and readability fixes > - removed payload_signer parameter. since we now use the struct we can extend > this later. > > Since the last 3 patches now only contain a minimal code change and the > tests for the seperate callers we could merge them together. I don't > mind either way. > > Fabian Stelzer (6): > ssh signing: use sigc struct to pass payload > ssh signing: add key lifetime test prereqs > ssh signing: make verify-commit consider key lifetime > ssh signing: make git log verify key lifetime > ssh signing: make verify-tag consider key lifetime > ssh signing: make fmt-merge-msg consider key lifetime > > Documentation/config/gpg.txt | 5 ++ > builtin/receive-pack.c | 6 ++- > commit.c | 6 ++- > fmt-merge-msg.c | 5 +- > gpg-interface.c | 87 ++++++++++++++++++++++++-------- > gpg-interface.h | 15 ++++-- > log-tree.c | 10 ++-- > t/lib-gpg.sh | 19 ++++++- > t/t4202-log.sh | 43 ++++++++++++++++ > t/t6200-fmt-merge-msg.sh | 54 ++++++++++++++++++++ > t/t7031-verify-tag-signed-ssh.sh | 42 +++++++++++++++ > t/t7528-signed-commit-ssh.sh | 42 +++++++++++++++ > tag.c | 5 +- > 13 files changed, 303 insertions(+), 36 deletions(-) > > > base-commit: e9e5ba39a78c8f5057262d49e261b42a8660d5b9 As part of testing v2.34-rc0 on Cygwin, I've found this patch series is breaking t4202, t5534, and t6200. Specifically, bisecting points to f265f2d630 (ssh signing: tests for logs, tags & push certs, 2021-09-10) as breaking t4202 and t5534, while responsibility for t6200 seems to be 9d12546de9 (ssh signing: fmt-merge-msg tests & config parse, 2021-10-12). I've not yet done any investigation into the specifics of these failures, but I wanted to report them early so other folks could get on with investigating as appropriate.
