diff options
author | Junio C Hamano <gitster@pobox.com> | 2021-12-21 23:03:15 (GMT) |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2021-12-21 23:03:15 (GMT) |
commit | d2f0b7275998ebeaa15e48ce0180c466e1d77ec4 (patch) | |
tree | 9c78f0d3b6d3ba03fc9e6466f1f56fdc31443fcf /t/t4202-log.sh | |
parent | 3770c21be99a1e387794ec21e9bfeb3c640376b6 (diff) | |
parent | 50992f96c546ebdc0c149660f6baa948739888d9 (diff) | |
download | git-d2f0b7275998ebeaa15e48ce0180c466e1d77ec4.zip git-d2f0b7275998ebeaa15e48ce0180c466e1d77ec4.tar.gz git-d2f0b7275998ebeaa15e48ce0180c466e1d77ec4.tar.bz2 |
Merge branch 'fs/ssh-signing-key-lifetime'
Extend the signing of objects with SSH keys and learn to pay
attention to the key validity time range when verifying.
* fs/ssh-signing-key-lifetime:
ssh signing: verify ssh-keygen in test prereq
ssh signing: make fmt-merge-msg consider key lifetime
ssh signing: make verify-tag consider key lifetime
ssh signing: make git log verify key lifetime
ssh signing: make verify-commit consider key lifetime
ssh signing: add key lifetime test prereqs
ssh signing: use sigc struct to pass payload
t/fmt-merge-msg: make gpgssh tests more specific
t/fmt-merge-msg: do not redirect stderr
Diffstat (limited to 't/t4202-log.sh')
-rwxr-xr-x | t/t4202-log.sh | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/t/t4202-log.sh b/t/t4202-log.sh index 7a725b9..2ced7e9 100755 --- a/t/t4202-log.sh +++ b/t/t4202-log.sh @@ -1714,6 +1714,24 @@ test_expect_success GPGSSH 'setup sshkey signed branch' ' git commit -S -m signed_commit ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed commits with keys having defined lifetimes' ' + test_config gpg.format ssh && + touch file && + git add file && + + echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && + git tag expired-signed && + + echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && + git tag notyetvalid-signed && + + echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && + git tag timeboxedvalid-signed && + + echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && + git tag timeboxedinvalid-signed +' + test_expect_success GPGSM 'log x509 fingerprint' ' echo "F8BF62E0693D0694816377099909C779FA23FD65 | " >expect && git log -n1 --format="%GF | %GP" signed-x509 >actual && @@ -1751,6 +1769,31 @@ test_expect_success GPGSSH 'log --graph --show-signature ssh' ' grep "${GOOD_SIGNATURE_TRUSTED}" actual ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on expired signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 expired-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on not yet valid signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 notyetvalid-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log show success with commit date and key validity matching' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 timeboxedvalid-signed >actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure with commit date outside of key validity' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 timeboxedinvalid-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + test_expect_success GPG 'log --graph --show-signature for merged tag' ' test_when_finished "git reset --hard && git checkout main" && git checkout -b plain main && |