Fabian Stelzer <fs@xxxxxxxxxxxx> writes:
> To test for a key that is completely unknown to the keyring we need one
> to sign the commit with. This was done by generating a new key and not
> add it into the keyring. To avoid the key generation overhead and
> problems where GPG did hang in CI during it, switch GNUPGHOME to the
> empty $GNUPGHOME_NOT_USED instead, therefore making all used keys unknown
> for this single `verify-commit` call.
>
> Reported-by: Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx>
> Signed-off-by: Fabian Stelzer <fs@xxxxxxxxxxxx>
> ---
The original one is already in 'next' so I'll revert the merge and
queue this one instead.
We could turn this into incremental and apply it on the original
one, which may give us a chance to highlight this common mistake
of using a single-shot environment with shell functions, but let's
not bother.
Thanks.
> t/t7510-signed-commit.sh | 22 ++--------------------
> 1 file changed, 2 insertions(+), 20 deletions(-)
>
> diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
> index 9882b69ae2..8593b7e3cb 100755
> --- a/t/t7510-signed-commit.sh
> +++ b/t/t7510-signed-commit.sh
> @@ -71,25 +71,7 @@ test_expect_success GPG 'create signed commits' '
> git tag eleventh-signed $(cat oid) &&
> echo 12 | git commit-tree --gpg-sign=B7227189 HEAD^{tree} >oid &&
> test_line_count = 1 oid &&
> - git tag twelfth-signed-alt $(cat oid) &&
> -
> - cat >keydetails <<-\EOF &&
> - Key-Type: RSA
> - Key-Length: 2048
> - Subkey-Type: RSA
> - Subkey-Length: 2048
> - Name-Real: Unknown User
> - Name-Email: unknown@xxxxxxx
> - Expire-Date: 0
> - %no-ask-passphrase
> - %no-protection
> - EOF
> - gpg --batch --gen-key keydetails &&
> - echo 13 >file && git commit -a -S"unknown@xxxxxxx" -m thirteenth &&
> - git tag thirteenth-signed &&
> - DELETE_FINGERPRINT=$(gpg -K --with-colons --fingerprint --batch unknown@xxxxxxx | grep "^fpr" | head -n 1 | awk -F ":" "{print \$10;}") &&
> - gpg --batch --yes --delete-secret-keys $DELETE_FINGERPRINT &&
> - gpg --batch --yes --delete-keys unknown@xxxxxxx
> + git tag twelfth-signed-alt $(cat oid)
> '
>
> test_expect_success GPG 'verify and show signatures' '
> @@ -129,7 +111,7 @@ test_expect_success GPG 'verify and show signatures' '
> '
>
> test_expect_success GPG 'verify-commit exits failure on unknown signature' '
> - test_must_fail git verify-commit thirteenth-signed 2>actual &&
> + test_must_fail env GNUPGHOME="$GNUPGHOME_NOT_USED" git verify-commit initial 2>actual &&
> ! grep "Good signature from" actual &&
> ! grep "BAD signature from" actual &&
> grep -q -F -e "No public key" -e "public key not found" actual
