diff options
author | Fabian Stelzer <fs@gigacodes.de> | 2021-12-09 11:52:46 +0300 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2021-12-10 00:38:04 +0300 |
commit | 4bbf3780ff2c485b1d0781d58b26e01f75dffcc1 (patch) | |
tree | d4fe77f9634a27f87c707cc4d6abb27e69b81ac6 | |
parent | 6393c956f4e7061d6b19981bd8cd28ef037b911e (diff) |
ssh signing: make git log verify key lifetime
Set the payload_type for check_signature() when calling git log.
Implements the same tests as for verify-commit.
Signed-off-by: Fabian Stelzer <fs@gigacodes.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | log-tree.c | 2 | ||||
-rwxr-xr-x | t/t4202-log.sh | 43 |
2 files changed, 45 insertions, 0 deletions
diff --git a/log-tree.c b/log-tree.c index a46cf60e1e..d3e7a40b64 100644 --- a/log-tree.c +++ b/log-tree.c @@ -513,6 +513,7 @@ static void show_signature(struct rev_info *opt, struct commit *commit) if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0) goto out; + sigc.payload_type = SIGNATURE_PAYLOAD_COMMIT; sigc.payload = strbuf_detach(&payload, &sigc.payload_len); status = check_signature(&sigc, signature.buf, signature.len); if (status && !sigc.output) @@ -583,6 +584,7 @@ static int show_one_mergetag(struct commit *commit, status = -1; if (parse_signature(extra->value, extra->len, &payload, &signature)) { /* could have a good signature */ + sigc.payload_type = SIGNATURE_PAYLOAD_TAG; sigc.payload = strbuf_detach(&payload, &sigc.payload_len); status = check_signature(&sigc, signature.buf, signature.len); if (sigc.output) diff --git a/t/t4202-log.sh b/t/t4202-log.sh index 7884e3d46b..ba855ec893 100755 --- a/t/t4202-log.sh +++ b/t/t4202-log.sh @@ -1677,6 +1677,24 @@ test_expect_success GPGSSH 'setup sshkey signed branch' ' git commit -S -m signed_commit ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed commits with keys having defined lifetimes' ' + test_config gpg.format ssh && + touch file && + git add file && + + echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && + git tag expired-signed && + + echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && + git tag notyetvalid-signed && + + echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && + git tag timeboxedvalid-signed && + + echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && + git tag timeboxedinvalid-signed +' + test_expect_success GPGSM 'log x509 fingerprint' ' echo "F8BF62E0693D0694816377099909C779FA23FD65 | " >expect && git log -n1 --format="%GF | %GP" signed-x509 >actual && @@ -1714,6 +1732,31 @@ test_expect_success GPGSSH 'log --graph --show-signature ssh' ' grep "${GOOD_SIGNATURE_TRUSTED}" actual ' +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on expired signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 expired-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure on not yet valid signature key' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 notyetvalid-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log show success with commit date and key validity matching' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 timeboxedvalid-signed >actual && + grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && + ! grep "${GPGSSH_BAD_SIGNATURE}" actual +' + +test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'log shows failure with commit date outside of key validity' ' + test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && + git log --graph --show-signature -n1 timeboxedinvalid-signed >actual && + ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual +' + test_expect_success GPG 'log --graph --show-signature for merged tag' ' test_when_finished "git reset --hard && git checkout main" && git checkout -b plain main && |