summaryrefslogtreecommitdiff
path: root/gpg-interface.h
diff options
context:
space:
mode:
authorHans Jerry Illikainen <hji@dyntopia.com>2019-11-27 17:48:21 (GMT)
committerJunio C Hamano <gitster@pobox.com>2019-11-30 21:52:35 (GMT)
commit72b006f4bfd30b7c5037c163efaf279ab65bea9c (patch)
tree50fdf5a566469f65c1b496efaaee77961775322e /gpg-interface.h
parent67a6ea63008bcee32a239934ad29eb5c5a554509 (diff)
downloadgit-72b006f4bfd30b7c5037c163efaf279ab65bea9c.zip
git-72b006f4bfd30b7c5037c163efaf279ab65bea9c.tar.gz
git-72b006f4bfd30b7c5037c163efaf279ab65bea9c.tar.bz2
gpg-interface: prefer check_signature() for GPG verification
This commit refactors the use of verify_signed_buffer() outside of gpg-interface.c to use check_signature() instead. It also turns verify_signed_buffer() into a file-local function since it's now only invoked internally by check_signature(). There were previously two globally scoped functions used in different parts of Git to perform GPG signature verification: verify_signed_buffer() and check_signature(). Now only check_signature() is used. The verify_signed_buffer() function doesn't guard against duplicate signatures as described by Michał Górny [1]. Instead it only ensures a non-erroneous exit code from GPG and the presence of at least one GOODSIG status field. This stands in contrast with check_signature() that returns an error if more than one signature is encountered. The lower degree of verification makes the use of verify_signed_buffer() problematic if callers don't parse and validate the various parts of the GPG status message themselves. And processing these messages seems like a task that should be reserved to gpg-interface.c with the function check_signature(). Furthermore, the use of verify_signed_buffer() makes it difficult to introduce new functionality that relies on the content of the GPG status lines. Now all operations that does signature verification share a single entry point to gpg-interface.c. This makes it easier to propagate changed or additional functionality in GPG signature verification to all parts of Git, without having odd edge-cases that don't perform the same degree of verification. [1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html Signed-off-by: Hans Jerry Illikainen <hji@dyntopia.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gpg-interface.h')
-rw-r--r--gpg-interface.h9
1 files changed, 0 insertions, 9 deletions
diff --git a/gpg-interface.h b/gpg-interface.h
index 3e624ec..93cc3af 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -46,15 +46,6 @@ size_t parse_signature(const char *buf, size_t size);
int sign_buffer(struct strbuf *buffer, struct strbuf *signature,
const char *signing_key);
-/*
- * Run "gpg" to see if the payload matches the detached signature.
- * gpg_output, when set, receives the diagnostic output from GPG.
- * gpg_status, when set, receives the status output from GPG.
- */
-int verify_signed_buffer(const char *payload, size_t payload_size,
- const char *signature, size_t signature_size,
- struct strbuf *gpg_output, struct strbuf *gpg_status);
-
int git_gpg_config(const char *, const char *, void *);
void set_signing_key(const char *);
const char *get_signing_key(void);