summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbrian m. carlson <sandals@crustytoothpaste.net>2015-06-21 23:14:43 (GMT)
committerJunio C Hamano <gitster@pobox.com>2015-06-22 21:20:47 (GMT)
commite18443ece711564145d545b650851c4615717128 (patch)
tree1908d85b9ea17b6f47014550d05161f244aa0180
parentaeff29dd4dab01b497b2a2cf73e982e846a5fe4c (diff)
downloadgit-e18443ece711564145d545b650851c4615717128.zip
git-e18443ece711564145d545b650851c4615717128.tar.gz
git-e18443ece711564145d545b650851c4615717128.tar.bz2
verify-tag: add option to print raw gpg status information
verify-tag by default displays human-readable output on standard error. However, it can also be useful to get access to the raw gpg status information, which is machine-readable, allowing automated implementation of signing policy. Add a --raw option to make verify-tag produce the gpg status information on standard error instead of the human-readable format. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--Documentation/git-verify-tag.txt4
-rw-r--r--builtin/verify-tag.c17
-rwxr-xr-xt/t7030-verify-tag.sh31
3 files changed, 46 insertions, 6 deletions
diff --git a/Documentation/git-verify-tag.txt b/Documentation/git-verify-tag.txt
index f88ba96..d590edc 100644
--- a/Documentation/git-verify-tag.txt
+++ b/Documentation/git-verify-tag.txt
@@ -16,6 +16,10 @@ Validates the gpg signature created by 'git tag'.
OPTIONS
-------
+--raw::
+ Print the raw gpg status output to standard error instead of the normal
+ human-readable output.
+
-v::
--verbose::
Print the contents of the tag object before validating it.
diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
index d67e3db..00663f6 100644
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@@ -18,7 +18,7 @@ static const char * const verify_tag_usage[] = {
NULL
};
-static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
+static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
{
struct signature_check sigc;
int len;
@@ -29,19 +29,19 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
len = parse_signature(buf, size);
if (size == len) {
- if (verbose)
+ if (flags & GPG_VERIFY_VERBOSE)
write_in_full(1, buf, len);
return error("no signature found");
}
ret = check_signature(buf, len, buf + len, size - len, &sigc);
- print_signature_buffer(&sigc, verbose ? GPG_VERIFY_VERBOSE : 0);
+ print_signature_buffer(&sigc, flags);
signature_check_clear(&sigc);
return ret;
}
-static int verify_tag(const char *name, int verbose)
+static int verify_tag(const char *name, unsigned flags)
{
enum object_type type;
unsigned char sha1[20];
@@ -61,7 +61,7 @@ static int verify_tag(const char *name, int verbose)
if (!buf)
return error("%s: unable to read file.", name);
- ret = run_gpg_verify(buf, size, verbose);
+ ret = run_gpg_verify(buf, size, flags);
free(buf);
return ret;
@@ -78,8 +78,10 @@ static int git_verify_tag_config(const char *var, const char *value, void *cb)
int cmd_verify_tag(int argc, const char **argv, const char *prefix)
{
int i = 1, verbose = 0, had_error = 0;
+ unsigned flags = 0;
const struct option verify_tag_options[] = {
OPT__VERBOSE(&verbose, N_("print tag contents")),
+ OPT_BIT(0, "raw", &flags, N_("print raw gpg status output"), GPG_VERIFY_RAW),
OPT_END()
};
@@ -90,11 +92,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
if (argc <= i)
usage_with_options(verify_tag_usage, verify_tag_options);
+ if (verbose)
+ flags |= GPG_VERIFY_VERBOSE;
+
/* sometimes the program was terminated because this signal
* was received in the process of writing the gpg input: */
signal(SIGPIPE, SIG_IGN);
while (i < argc)
- if (verify_tag(argv[i++], verbose))
+ if (verify_tag(argv[i++], flags))
had_error = 1;
return had_error;
}
diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh
index 632bc53..4608e71 100755
--- a/t/t7030-verify-tag.sh
+++ b/t/t7030-verify-tag.sh
@@ -81,4 +81,35 @@ test_expect_success GPG 'detect fudged signature' '
! grep "Good signature from" actual1
'
+test_expect_success GPG 'verify signatures with --raw' '
+ (
+ for tag in initial second merge fourth-signed sixth-signed seventh-signed
+ do
+ git verify-tag --raw $tag 2>actual &&
+ grep "GOODSIG" actual &&
+ ! grep "BADSIG" actual &&
+ echo $tag OK || exit 1
+ done
+ ) &&
+ (
+ for tag in fourth-unsigned fifth-unsigned sixth-unsigned
+ do
+ test_must_fail git verify-tag --raw $tag 2>actual &&
+ ! grep "GOODSIG" actual &&
+ ! grep "BADSIG" actual &&
+ echo $tag OK || exit 1
+ done
+ ) &&
+ (
+ for tag in eighth-signed-alt
+ do
+ git verify-tag --raw $tag 2>actual &&
+ grep "GOODSIG" actual &&
+ ! grep "BADSIG" actual &&
+ grep "TRUST_UNDEFINED" actual &&
+ echo $tag OK || exit 1
+ done
+ )
+'
+
test_done