summaryrefslogtreecommitdiff
path: root/gpg-interface.c
diff options
context:
space:
mode:
authorJunio C Hamano <gitster@pobox.com>2018-08-09 18:40:27 (GMT)
committerJunio C Hamano <gitster@pobox.com>2018-08-09 22:34:16 (GMT)
commit4e5dc9ca179931b4dc39b32f06facc5a31091403 (patch)
tree5925d25128281133417564f31622c176b43e175f /gpg-interface.c
parent53f9a3e157dbbc901a02ac2c73346d375e24978c (diff)
downloadgit-4e5dc9ca179931b4dc39b32f06facc5a31091403.zip
git-4e5dc9ca179931b4dc39b32f06facc5a31091403.tar.gz
git-4e5dc9ca179931b4dc39b32f06facc5a31091403.tar.bz2
gpg-interface: propagate exit status from gpg back to the callers
When gpg-interface API unified support for signature verification codepaths for signed tags and signed commits in mid 2015 at around v2.6.0-rc0~114, we accidentally loosened the GPG signature verification. Before that change, signed commits were verified by looking for "G"ood signature from GPG, while ignoring the exit status of "gpg --verify" process, while signed tags were verified by simply passing the exit status of "gpg --verify" through. The unified code we currently have ignores the exit status of "gpg --verify" and returns successful verification when the signature matches an unexpired key regardless of the trust placed on the key (i.e. in addition to "G"ood ones, we accept "U"ntrusted ones). Make these commands signal failure with their exit status when underlying "gpg --verify" (or the custom command specified by "gpg.program" configuration variable) does so. This essentially changes their behaviour in a backward incompatible way to reject signatures that have been made with untrusted keys even if they correctly verify, as that is how "gpg --verify" behaves. Note that the code still overrides a zero exit status obtained from "gpg" (or gpg.program) if the output does not say the signature is good or computes correctly but made with untrusted keys, to catch a poorly written wrapper around "gpg" the user may give us. We could exclude "U"ntrusted support from this fallback code, but that would be making two backward incompatible changes in a single commit, so let's avoid that for now. A follow-up change could do so if desired. Helped-by: Vojtech Myslivec <vojtech.myslivec@nic.cz> Helped-by: brian m. carlson <sandals@crustytoothpaste.net> Helped-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gpg-interface.c')
-rw-r--r--gpg-interface.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/gpg-interface.c b/gpg-interface.c
index 0647bd6..b5e64c5 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -81,12 +81,13 @@ int check_signature(const char *payload, size_t plen, const char *signature,
sigc->gpg_output = strbuf_detach(&gpg_output, NULL);
sigc->gpg_status = strbuf_detach(&gpg_status, NULL);
parse_gpg_output(sigc);
+ status |= sigc->result != 'G' && sigc->result != 'U';
out:
strbuf_release(&gpg_status);
strbuf_release(&gpg_output);
- return sigc->result != 'G' && sigc->result != 'U';
+ return !!status;
}
void print_signature_buffer(const struct signature_check *sigc, unsigned flags)