git/gpg-interface.c, branch v2.19.0

Merge branch 'jc/gpg-status'

2018-08-20T18:33:50Z

"git verify-tag" and "git verify-commit" have been taught to use the exit status of underlying "gpg --verify" to signal bad or untrusted signature they found. * jc/gpg-status: gpg-interface: propagate exit status from gpg back to the callers

gpg-interface: propagate exit status from gpg back to the callers

2018-08-09T22:34:16Z

When gpg-interface API unified support for signature verification codepaths for signed tags and signed commits in mid 2015 at around v2.6.0-rc0~114, we accidentally loosened the GPG signature verification. Before that change, signed commits were verified by looking for "G"ood signature from GPG, while ignoring the exit status of "gpg --verify" process, while signed tags were verified by simply passing the exit status of "gpg --verify" through. The unified code we currently have ignores the exit status of "gpg --verify" and returns successful verification when the signature matches an unexpired key regardless of the trust placed on the key (i.e. in addition to "G"ood ones, we accept "U"ntrusted ones). Make these commands signal failure with their exit status when underlying "gpg --verify" (or the custom command specified by "gpg.program" configuration variable) does so. This essentially changes their behaviour in a backward incompatible way to reject signatures that have been made with untrusted keys even if they correctly verify, as that is how "gpg --verify" behaves. Note that the code still overrides a zero exit status obtained from "gpg" (or gpg.program) if the output does not say the signature is good or computes correctly but made with untrusted keys, to catch a poorly written wrapper around "gpg" the user may give us. We could exclude "U"ntrusted support from this fallback code, but that would be making two backward incompatible changes in a single commit, so let's avoid that for now. A follow-up change could do so if desired. Helped-by: Vojtech Myslivec Helped-by: brian m. carlson Helped-by: Jeff King Signed-off-by: Junio C Hamano

gpg-interface: introduce new signature format "x509" using gpgsm

2018-07-18T17:02:23Z

This commit allows git to create and check x509 type signatures using gpgsm. Signed-off-by: Henning Schild Signed-off-by: Junio C Hamano

gpg-interface: introduce new config to select per gpg format program

2018-07-18T17:02:21Z

Supporting multiple signing formats we will have the need to configure a custom program each. Add a new config value to cater for that. Signed-off-by: Henning Schild Signed-off-by: Junio C Hamano

gpg-interface: do not hardcode the key string len anymore

2018-07-18T17:02:20Z

gnupg does print the keyid followed by a space and the signer comes next. The same pattern is also used in gpgsm, but there the key length would be 40 instead of 16. Instead of hardcoding the expected length, find the first space and calculate it. Input that does not match the expected format will be ignored now, before we jumped to found+17 which might have been behind the end of an unexpected string. Signed-off-by: Henning Schild Signed-off-by: Junio C Hamano

gpg-interface: introduce an abstraction for multiple gpg formats

2018-07-18T17:02:18Z

Create a struct that holds the format details for the supported formats. At the moment that is still just "openpgp". This commit prepares for the introduction of more formats, that might use other programs and match other signatures. Signed-off-by: Henning Schild Signed-off-by: Junio C Hamano

gpg-interface: add new config to select how to sign a commit

2018-07-17T19:14:11Z

Add "gpg.format" where the user can specify which type of signature to use for commits. At the moment only "openpgp" is supported and the value is not even used. This commit prepares for a new types of signatures. Signed-off-by: Henning Schild Signed-off-by: Junio C Hamano

gpg-interface: make parse_gpg_output static and remove from interface header

2018-07-11T17:05:22Z

Turn parse_gpg_output into a static function, the only outside user was migrated in an earlier commit. Signed-off-by: Henning Schild Signed-off-by: Junio C Hamano

gpg-interface: find the last gpg signature line

2018-04-16T05:15:03Z

A signed tag has a detached signature like this: object ... [...more header...] This is the tag body. -----BEGIN PGP SIGNATURE----- [opaque gpg data] -----END PGP SIGNATURE----- Our parser finds the _first_ line that appears to start a PGP signature block, meaning we may be confused by a signature (or a signature-like line) in the actual body. Let's keep parsing and always find the final block, which should be the detached signature over all of the preceding content. Signed-off-by: Jeff King Signed-off-by: Ben Toews Signed-off-by: Junio C Hamano

gpg-interface: extract gpg line matching helper

2018-04-16T05:15:03Z

Let's separate the actual line-by-line parsing of signatures from the notion of "is this a gpg signature line". That will make it easier to do more refactoring of this loop in future patches. Signed-off-by: Jeff King Signed-off-by: Ben Toews Signed-off-by: Junio C Hamano