From ba3c69a9ee1894de397b60d3b548383e13ef49e3 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 5 Oct 2011 17:23:20 -0700 Subject: commit: teach --gpg-sign option This uses the gpg-interface.[ch] to allow signing the commit, i.e. $ git commit --gpg-sign -m foo You need a passphrase to unlock the secret key for user: "Junio C Hamano " 4096-bit RSA key, ID 96AFE6CB, created 2011-10-03 (main key ID 713660A7) [master 8457d13] foo 1 files changed, 1 insertions(+), 0 deletions(-) The lines of GPG detached signature are placed in a new multi-line header field, instead of tucking the signature block at the end of the commit log message text (similar to how signed tag is done), for multiple reasons: - The signature won't clutter output from "git log" and friends if it is in the extra header. If we place it at the end of the log message, we would need to teach "git log" and friends to strip the signature block with an option. - Teaching new versions of "git log" and "gitk" to optionally verify and show signatures is cleaner if we structurally know where the signature block is (instead of scanning in the commit log message). - The signature needs to be stripped upon various commit rewriting operations, e.g. rebase, filter-branch, etc. They all already ignore unknown headers, but if we place signature in the log message, all of these tools (and third-party tools) also need to learn how a signature block would look like. - When we added the optional encoding header, all the tools (both in tree and third-party) that acts on the raw commit object should have been fixed to ignore headers they do not understand, so it is not like that new header would be more likely to break than extra text in the commit. A commit made with the above sample sequence would look like this: $ git cat-file commit HEAD tree 3cd71d90e3db4136e5260ab54599791c4f883b9d parent b87755351a47b09cb27d6913e6e0e17e6254a4d4 author Junio C Hamano 1317862251 -0700 committer Junio C Hamano 1317862251 -0700 gpgsig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJOjPtrAAoJELC16IaWr+bL4TMP/RSe2Y/jYnCkds9unO5JEnfG ... =dt98 -----END PGP SIGNATURE----- foo but "git log" (unless you ask for it with --pretty=raw) output is not cluttered with the signature information. Signed-off-by: Junio C Hamano --- builtin/commit-tree.c | 25 ++++++++++++++++++++++--- builtin/commit.c | 11 ++++++++++- builtin/merge.c | 16 ++++++++++++++-- commit.c | 48 +++++++++++++++++++++++++++++++++++++++++++++--- commit.h | 4 ++-- notes-cache.c | 2 +- notes-merge.c | 2 +- 7 files changed, 95 insertions(+), 13 deletions(-) diff --git a/builtin/commit-tree.c b/builtin/commit-tree.c index b9c331225f..d5e19af547 100644 --- a/builtin/commit-tree.c +++ b/builtin/commit-tree.c @@ -8,8 +8,9 @@ #include "tree.h" #include "builtin.h" #include "utf8.h" +#include "gpg-interface.h" -static const char commit_tree_usage[] = "git commit-tree [(-p )...] [-m ] [-F ] ...", @@ -85,6 +86,8 @@ static int all, edit_flag, also, interactive, patch_interactive, only, amend, si static int quiet, verbose, no_verify, allow_empty, dry_run, renew_authorship; static int no_post_rewrite, allow_empty_message; static char *untracked_files_arg, *force_date, *ignore_submodule_arg; +static char *sign_commit; + /* * The default commit message cleanup mode will remove the lines * beginning with # (shell comments) and leading and trailing @@ -144,6 +147,8 @@ static struct option builtin_commit_options[] = { OPT_BOOLEAN('e', "edit", &edit_flag, "force edit of commit"), OPT_STRING(0, "cleanup", &cleanup_arg, "default", "how to strip spaces and #comments from message"), OPT_BOOLEAN(0, "status", &include_status, "include status in commit message template"), + { OPTION_STRING, 'S', "gpg-sign", &sign_commit, "key id", + "GPG sign commit", PARSE_OPT_OPTARG, NULL, (intptr_t) "" }, /* end commit message options */ OPT_GROUP("Commit contents options"), @@ -1324,6 +1329,7 @@ static void print_summary(const char *prefix, const unsigned char *sha1, static int git_commit_config(const char *k, const char *v, void *cb) { struct wt_status *s = cb; + int status; if (!strcmp(k, "commit.template")) return git_config_pathname(&template_file, k, v); @@ -1332,6 +1338,9 @@ static int git_commit_config(const char *k, const char *v, void *cb) return 0; } + status = git_gpg_config(k, v, NULL); + if (status) + return status; return git_status_config(k, v, s); } @@ -1488,7 +1497,7 @@ int cmd_commit(int argc, const char **argv, const char *prefix) extra = read_commit_extra_headers(current_head); if (commit_tree_extended(sb.buf, active_cache_tree->sha1, parents, sha1, - author_ident.buf, extra)) { + author_ident.buf, sign_commit, extra)) { rollback_index_files(); die(_("failed to write commit object")); } diff --git a/builtin/merge.c b/builtin/merge.c index 99f1429b35..e5afe64cef 100644 --- a/builtin/merge.c +++ b/builtin/merge.c @@ -26,6 +26,7 @@ #include "merge-recursive.h" #include "resolve-undo.h" #include "remote.h" +#include "gpg-interface.h" #define DEFAULT_TWOHEAD (1<<0) #define DEFAULT_OCTOPUS (1<<1) @@ -62,6 +63,7 @@ static int allow_rerere_auto; static int abort_current_merge; static int show_progress = -1; static int default_to_upstream; +static const char *sign_commit; static struct strategy all_strategy[] = { { "recursive", DEFAULT_TWOHEAD | NO_TRIVIAL }, @@ -207,6 +209,8 @@ static struct option builtin_merge_options[] = { OPT_BOOLEAN(0, "abort", &abort_current_merge, "abort the current in-progress merge"), OPT_SET_INT(0, "progress", &show_progress, "force progress reporting", 1), + { OPTION_STRING, 'S', "gpg-sign", &sign_commit, "key id", + "GPG sign commit", PARSE_OPT_OPTARG, NULL, (intptr_t) "" }, OPT_END() }; @@ -533,6 +537,8 @@ static void parse_branch_merge_options(char *bmo) static int git_merge_config(const char *k, const char *v, void *cb) { + int status; + if (branch && !prefixcmp(k, "branch.") && !prefixcmp(k + 7, branch) && !strcmp(k + 7 + strlen(branch), ".mergeoptions")) { @@ -570,6 +576,10 @@ static int git_merge_config(const char *k, const char *v, void *cb) default_to_upstream = git_config_bool(k, v); return 0; } + + status = git_gpg_config(k, v, NULL); + if (status) + return status; return git_diff_ui_config(k, v, cb); } @@ -902,7 +912,8 @@ static int merge_trivial(struct commit *head) parent->next->item = remoteheads->item; parent->next->next = NULL; prepare_to_commit(); - commit_tree(merge_msg.buf, result_tree, parent, result_commit, NULL); + commit_tree(merge_msg.buf, result_tree, parent, result_commit, NULL, + sign_commit); finish(head, result_commit, "In-index merge"); drop_save(); return 0; @@ -933,7 +944,8 @@ static int finish_automerge(struct commit *head, strbuf_addch(&merge_msg, '\n'); prepare_to_commit(); free_commit_list(remoteheads); - commit_tree(merge_msg.buf, result_tree, parents, result_commit, NULL); + commit_tree(merge_msg.buf, result_tree, parents, result_commit, + NULL, sign_commit); strbuf_addf(&buf, "Merge made by the '%s' strategy.", wt_strategy); finish(head, result_commit, buf.buf); strbuf_release(&buf); diff --git a/commit.c b/commit.c index b78127403b..f00076e91f 100644 --- a/commit.c +++ b/commit.c @@ -6,6 +6,7 @@ #include "diff.h" #include "revision.h" #include "notes.h" +#include "gpg-interface.h" int save_commit_buffer = 1; @@ -840,6 +841,42 @@ struct commit_list *reduce_heads(struct commit_list *heads) return result; } +static const char gpg_sig_header[] = "gpgsig"; +static const int gpg_sig_header_len = sizeof(gpg_sig_header) - 1; + +static int do_sign_commit(struct strbuf *buf, const char *keyid) +{ + struct strbuf sig = STRBUF_INIT; + int inspos, copypos; + + /* find the end of the header */ + inspos = strstr(buf->buf, "\n\n") - buf->buf + 1; + + if (!keyid || !*keyid) + keyid = get_signing_key(); + if (sign_buffer(buf, &sig, keyid)) { + strbuf_release(&sig); + return -1; + } + + for (copypos = 0; sig.buf[copypos]; ) { + const char *bol = sig.buf + copypos; + const char *eol = strchrnul(bol, '\n'); + int len = (eol - bol) + !!*eol; + + if (!copypos) { + strbuf_insert(buf, inspos, gpg_sig_header, gpg_sig_header_len); + inspos += gpg_sig_header_len; + } + strbuf_insert(buf, inspos++, " ", 1); + strbuf_insert(buf, inspos, bol, len); + inspos += len; + copypos += len; + } + strbuf_release(&sig); + return 0; +} + static void handle_signed_tag(struct commit *parent, struct commit_extra_header ***tail) { struct merge_remote_desc *desc; @@ -975,13 +1012,14 @@ void free_commit_extra_headers(struct commit_extra_header *extra) int commit_tree(const char *msg, unsigned char *tree, struct commit_list *parents, unsigned char *ret, - const char *author) + const char *author, const char *sign_commit) { struct commit_extra_header *extra = NULL, **tail = &extra; int result; append_merge_tag_headers(parents, &tail); - result = commit_tree_extended(msg, tree, parents, ret, author, extra); + result = commit_tree_extended(msg, tree, parents, ret, + author, sign_commit, extra); free_commit_extra_headers(extra); return result; } @@ -993,7 +1031,8 @@ static const char commit_utf8_warn[] = int commit_tree_extended(const char *msg, unsigned char *tree, struct commit_list *parents, unsigned char *ret, - const char *author, struct commit_extra_header *extra) + const char *author, const char *sign_commit, + struct commit_extra_header *extra) { int result; int encoding_is_utf8; @@ -1043,6 +1082,9 @@ int commit_tree_extended(const char *msg, unsigned char *tree, if (encoding_is_utf8 && !is_utf8(buffer.buf)) fprintf(stderr, commit_utf8_warn); + if (sign_commit && do_sign_commit(&buffer, sign_commit)) + return -1; + result = write_sha1_file(buffer.buf, buffer.len, commit_type, ret); strbuf_release(&buffer); return result; diff --git a/commit.h b/commit.h index 3745f12099..d2c3e650b1 100644 --- a/commit.h +++ b/commit.h @@ -193,11 +193,11 @@ extern void append_merge_tag_headers(struct commit_list *parents, extern int commit_tree(const char *msg, unsigned char *tree, struct commit_list *parents, unsigned char *ret, - const char *author); + const char *author, const char *sign_commit); extern int commit_tree_extended(const char *msg, unsigned char *tree, struct commit_list *parents, unsigned char *ret, - const char *author, + const char *author, const char *sign_commit, struct commit_extra_header *); extern struct commit_extra_header *read_commit_extra_headers(struct commit *); diff --git a/notes-cache.c b/notes-cache.c index 4c8984ede1..c36a960bc3 100644 --- a/notes-cache.c +++ b/notes-cache.c @@ -56,7 +56,7 @@ int notes_cache_write(struct notes_cache *c) if (write_notes_tree(&c->tree, tree_sha1)) return -1; - if (commit_tree(c->validity, tree_sha1, NULL, commit_sha1, NULL) < 0) + if (commit_tree(c->validity, tree_sha1, NULL, commit_sha1, NULL, NULL) < 0) return -1; if (update_ref("update notes cache", c->tree.ref, commit_sha1, NULL, 0, QUIET_ON_ERR) < 0) diff --git a/notes-merge.c b/notes-merge.c index e9e4199311..61cf18eeab 100644 --- a/notes-merge.c +++ b/notes-merge.c @@ -546,7 +546,7 @@ void create_notes_commit(struct notes_tree *t, struct commit_list *parents, /* else: t->ref points to nothing, assume root/orphan commit */ } - if (commit_tree(msg, tree_sha1, parents, result_sha1, NULL)) + if (commit_tree(msg, tree_sha1, parents, result_sha1, NULL, NULL)) die("Failed to commit notes tree to database"); } -- cgit v1.2.1 From 0c37f1fce6cb7997dbb2703d35eef0dfd86c5070 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 18 Oct 2011 15:53:23 -0700 Subject: log: --show-signature This teaches the "log" family of commands to pass the GPG signature in the commit objects to "gpg --verify" via the verify_signed_buffer() interface used to verify signed tag objects. E.g. $ git show --show-signature -s HEAD shows GPG output in the header part of the output. Signed-off-by: Junio C Hamano --- commit.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ commit.h | 2 ++ log-tree.c | 39 +++++++++++++++++++++++++++++++++++++++ revision.c | 2 ++ revision.h | 1 + 5 files changed, 88 insertions(+) diff --git a/commit.c b/commit.c index f00076e91f..27c7226abb 100644 --- a/commit.c +++ b/commit.c @@ -877,6 +877,50 @@ static int do_sign_commit(struct strbuf *buf, const char *keyid) return 0; } +int parse_signed_commit(const unsigned char *sha1, + struct strbuf *payload, struct strbuf *signature) +{ + unsigned long size; + enum object_type type; + char *buffer = read_sha1_file(sha1, &type, &size); + int in_signature, saw_signature = -1; + char *line, *tail; + + if (!buffer || type != OBJ_COMMIT) + goto cleanup; + + line = buffer; + tail = buffer + size; + in_signature = 0; + saw_signature = 0; + while (line < tail) { + const char *sig = NULL; + char *next = memchr(line, '\n', tail - line); + + next = next ? next + 1 : tail; + if (in_signature && line[0] == ' ') + sig = line + 1; + else if (!prefixcmp(line, gpg_sig_header) && + line[gpg_sig_header_len] == ' ') + sig = line + gpg_sig_header_len + 1; + if (sig) { + strbuf_add(signature, sig, next - sig); + saw_signature = 1; + in_signature = 1; + } else { + if (*line == '\n') + /* dump the whole remainder of the buffer */ + next = tail; + strbuf_add(payload, line, next - line); + in_signature = 0; + } + line = next; + } + cleanup: + free(buffer); + return saw_signature; +} + static void handle_signed_tag(struct commit *parent, struct commit_extra_header ***tail) { struct merge_remote_desc *desc; diff --git a/commit.h b/commit.h index d2c3e650b1..61076486df 100644 --- a/commit.h +++ b/commit.h @@ -218,4 +218,6 @@ struct merge_remote_desc { */ struct commit *get_merge_parent(const char *name); +extern int parse_signed_commit(const unsigned char *sha1, + struct strbuf *message, struct strbuf *signature); #endif /* COMMIT_H */ diff --git a/log-tree.c b/log-tree.c index e7694a3a4c..142ba51427 100644 --- a/log-tree.c +++ b/log-tree.c @@ -8,6 +8,7 @@ #include "refs.h" #include "string-list.h" #include "color.h" +#include "gpg-interface.h" struct decoration name_decoration = { "object names" }; @@ -403,6 +404,41 @@ void log_write_email_headers(struct rev_info *opt, struct commit *commit, *extra_headers_p = extra_headers; } +static void show_signature(struct rev_info *opt, struct commit *commit) +{ + struct strbuf payload = STRBUF_INIT; + struct strbuf signature = STRBUF_INIT; + struct strbuf gpg_output = STRBUF_INIT; + int status; + const char *color, *reset, *bol, *eol; + + if (parse_signed_commit(commit->object.sha1, &payload, &signature) <= 0) + goto out; + + status = verify_signed_buffer(payload.buf, payload.len, + signature.buf, signature.len, + &gpg_output); + if (status && !gpg_output.len) + strbuf_addstr(&gpg_output, "No signature\n"); + + color = diff_get_color_opt(&opt->diffopt, + status ? DIFF_WHITESPACE : DIFF_FRAGINFO); + reset = diff_get_color_opt(&opt->diffopt, DIFF_RESET); + + bol = gpg_output.buf; + while (*bol) { + eol = strchrnul(bol, '\n'); + printf("%s%.*s%s%s", color, (int)(eol - bol), bol, reset, + *eol ? "\n" : ""); + bol = (*eol) ? (eol + 1) : eol; + } + + out: + strbuf_release(&gpg_output); + strbuf_release(&payload); + strbuf_release(&signature); +} + void show_log(struct rev_info *opt) { struct strbuf msgbuf = STRBUF_INIT; @@ -514,6 +550,9 @@ void show_log(struct rev_info *opt) } } + if (opt->show_signature) + show_signature(opt, commit); + if (!commit->buffer) return; diff --git a/revision.c b/revision.c index 8764dde381..064e351084 100644 --- a/revision.c +++ b/revision.c @@ -1469,6 +1469,8 @@ static int handle_revision_opt(struct rev_info *revs, int argc, const char **arg revs->show_notes = 1; revs->show_notes_given = 1; revs->notes_opt.use_default_notes = 1; + } else if (!strcmp(arg, "--show-signature")) { + revs->show_signature = 1; } else if (!prefixcmp(arg, "--show-notes=") || !prefixcmp(arg, "--notes=")) { struct strbuf buf = STRBUF_INIT; diff --git a/revision.h b/revision.h index 6aa53d1aa7..b8e9223954 100644 --- a/revision.h +++ b/revision.h @@ -110,6 +110,7 @@ struct rev_info { show_merge:1, show_notes:1, show_notes_given:1, + show_signature:1, pretty_given:1, abbrev_commit:1, abbrev_commit_given:1, -- cgit v1.2.1 From 247503f28fe25e400df6542cf72ade7c5b6cfacf Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 19 Oct 2011 17:15:05 -0700 Subject: test "commit -S" and "log --show-signature" Signed-off-by: Junio C Hamano --- t/t7510-signed-commit.sh | 71 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100755 t/t7510-signed-commit.sh diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh new file mode 100755 index 0000000000..30401ced07 --- /dev/null +++ b/t/t7510-signed-commit.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +test_description='signed commit tests' +. ./test-lib.sh +. "$TEST_DIRECTORY/lib-gpg.sh" + +test_expect_success GPG 'create signed commits' ' + echo 1 >file && git add file && + test_tick && git commit -S -m initial && + git tag initial && + git branch side && + + echo 2 >file && test_tick && git commit -a -S -m second && + git tag second && + + git checkout side && + echo 3 >elif && git add elif && + test_tick && git commit -m "third on side" && + + git checkout master && + test_tick && git merge -S side && + git tag merge && + + echo 4 >file && test_tick && git commit -a -m "fourth unsigned" && + git tag fourth-unsigned && + + test_tick && git commit --amend -S -m "fourth signed" +' + +test_expect_success GPG 'show signatures' ' + ( + for commit in initial second merge master + do + git show --pretty=short --show-signature $commit >actual && + grep "Good signature from" actual || exit 1 + ! grep "BAD signature from" actual || exit 1 + echo $commit OK + done + ) && + ( + for commit in merge^2 fourth-unsigned + do + git show --pretty=short --show-signature $commit >actual && + grep "Good signature from" actual && exit 1 + ! grep "BAD signature from" actual || exit 1 + echo $commit OK + done + ) +' + +test_expect_success GPG 'detect fudged signature' ' + git cat-file commit master >raw && + + sed -e "s/fourth signed/4th forged/" raw >forged1 && + git hash-object -w -t commit forged1 >forged1.commit && + git show --pretty=short --show-signature $(cat forged1.commit) >actual1 && + grep "BAD signature from" actual1 && + ! grep "Good signature from" actual1 +' + +test_expect_success GPG 'detect fudged signature with NUL' ' + git cat-file commit master >raw && + cat raw >forged2 && + echo Qwik | tr "Q" "\000" >>forged2 && + git hash-object -w -t commit forged2 >forged2.commit && + git show --pretty=short --show-signature $(cat forged2.commit) >actual2 && + grep "BAD signature from" actual2 && + ! grep "Good signature from" actual2 +' + +test_done -- cgit v1.2.1 From f6667c5ee8148af28cc97049695f60f5105b3061 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 21 Oct 2011 21:06:02 -0700 Subject: pretty: %G[?GS] placeholders Add new placeholders related to the GPG signature on signed commits. - %GG to show the raw verification message from GPG; - %G? to show either "G" for Good, "B" for Bad; - %GS to show the name of the signer. Signed-off-by: Junio C Hamano --- pretty.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/pretty.c b/pretty.c index f45eb54e4c..392d656595 100644 --- a/pretty.c +++ b/pretty.c @@ -9,6 +9,7 @@ #include "notes.h" #include "color.h" #include "reflog-walk.h" +#include "gpg-interface.h" static char *user_format; static struct cmt_fmt_map { @@ -640,6 +641,12 @@ struct format_commit_context { const struct pretty_print_context *pretty_ctx; unsigned commit_header_parsed:1; unsigned commit_message_parsed:1; + unsigned commit_signature_parsed:1; + struct { + char *gpg_output; + char good_bad; + char *signer; + } signature; char *message; size_t width, indent1, indent2; @@ -822,6 +829,59 @@ static void rewrap_message_tail(struct strbuf *sb, c->indent2 = new_indent2; } +static struct { + char result; + const char *check; +} signature_check[] = { + { 'G', ": Good signature from " }, + { 'B', ": BAD signature from " }, +}; + +static void parse_signature_lines(struct format_commit_context *ctx) +{ + const char *buf = ctx->signature.gpg_output; + int i; + + for (i = 0; i < ARRAY_SIZE(signature_check); i++) { + const char *found = strstr(buf, signature_check[i].check); + const char *next; + if (!found) + continue; + ctx->signature.good_bad = signature_check[i].result; + found += strlen(signature_check[i].check); + next = strchrnul(found, '\n'); + ctx->signature.signer = xmemdupz(found, next - found); + break; + } +} + +static void parse_commit_signature(struct format_commit_context *ctx) +{ + struct strbuf payload = STRBUF_INIT; + struct strbuf signature = STRBUF_INIT; + struct strbuf gpg_output = STRBUF_INIT; + int status; + + ctx->commit_signature_parsed = 1; + + if (parse_signed_commit(ctx->commit->object.sha1, + &payload, &signature) <= 0) + goto out; + status = verify_signed_buffer(payload.buf, payload.len, + signature.buf, signature.len, + &gpg_output); + if (status && !gpg_output.len) + goto out; + ctx->signature.gpg_output = strbuf_detach(&gpg_output, NULL); + parse_signature_lines(ctx); + + out: + strbuf_release(&gpg_output); + strbuf_release(&payload); + strbuf_release(&signature); +} + + static size_t format_commit_one(struct strbuf *sb, const char *placeholder, void *context) { @@ -974,6 +1034,30 @@ static size_t format_commit_one(struct strbuf *sb, const char *placeholder, return 0; } + if (placeholder[0] == 'G') { + if (!c->commit_signature_parsed) + parse_commit_signature(c); + switch (placeholder[1]) { + case 'G': + if (c->signature.gpg_output) + strbuf_addstr(sb, c->signature.gpg_output); + break; + case '?': + switch (c->signature.good_bad) { + case 'G': + case 'B': + strbuf_addch(sb, c->signature.good_bad); + } + break; + case 'S': + if (c->signature.signer) + strbuf_addstr(sb, c->signature.signer); + break; + } + return 2; + } + + /* For the rest we have to parse the commit header. */ if (!c->commit_header_parsed) parse_commit_header(c); @@ -1114,6 +1198,8 @@ void format_commit_message(const struct commit *commit, if (context.message != commit->buffer) free(context.message); + free(context.signature.gpg_output); + free(context.signature.signer); } static void pp_header(const struct pretty_print_context *pp, -- cgit v1.2.1 From 0c5e70f041bfda8b3899d13694a9093b41fafa19 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Tue, 29 Nov 2011 12:29:48 -0800 Subject: gpg-interface: allow use of a custom GPG binary Signed-off-by: Junio C Hamano --- Documentation/config.txt | 11 +++++++++++ Documentation/git-tag.txt | 8 +++++--- gpg-interface.c | 11 ++++++++--- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/Documentation/config.txt b/Documentation/config.txt index b30c7e6278..094c1c9de3 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1094,6 +1094,17 @@ grep.lineNumber:: grep.extendedRegexp:: If set to true, enable '--extended-regexp' option by default. +gpg.program:: + Use this custom program instead of "gpg" found on $PATH when + making or verifying a PGP signature. The program must support the + same command line interface as GPG, namely, to verify a detached + signature, "gpg --verify $file - <$signature" is run, and the + program is expected to signal a good signature by exiting with + code 0, and to generate an ascii-armored detached signature, the + standard input of "gpg -bsau $key" is fed with the contents to be + signed, and the program is expected to send the result to its + standard output. + gui.commitmsgwidth:: Defines how wide the commit message window is in the linkgit:git-gui[1]. "75" is the default. diff --git a/Documentation/git-tag.txt b/Documentation/git-tag.txt index c83cb13de6..74fc7e006f 100644 --- a/Documentation/git-tag.txt +++ b/Documentation/git-tag.txt @@ -38,7 +38,9 @@ created (i.e. a lightweight tag). A GnuPG signed tag object will be created when `-s` or `-u ` is used. When `-u ` is not used, the committer identity for the current user is used to find the -GnuPG key for signing. +GnuPG key for signing. The configuration variable `gpg.program` +is used to specify custom GnuPG binary. + OPTIONS ------- @@ -48,11 +50,11 @@ OPTIONS -s:: --sign:: - Make a GPG-signed tag, using the default e-mail address's key + Make a GPG-signed tag, using the default e-mail address's key. -u :: --local-user=:: - Make a GPG-signed tag, using the given key + Make a GPG-signed tag, using the given key. -f:: --force:: diff --git a/gpg-interface.c b/gpg-interface.c index ff232c8c5d..18630ff8da 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -5,6 +5,7 @@ #include "sigchain.h" static char *configured_signing_key; +static const char *gpg_program = "gpg"; void set_signing_key(const char *key) { @@ -15,9 +16,12 @@ void set_signing_key(const char *key) int git_gpg_config(const char *var, const char *value, void *cb) { if (!strcmp(var, "user.signingkey")) { + set_signing_key(value); + } + if (!strcmp(var, "gpg.program")) { if (!value) return config_error_nonbool(var); - set_signing_key(value); + gpg_program = xstrdup(value); } return 0; } @@ -46,7 +50,7 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig gpg.argv = args; gpg.in = -1; gpg.out = -1; - args[0] = "gpg"; + args[0] = gpg_program; args[1] = "-bsau"; args[2] = signing_key; args[3] = NULL; @@ -101,10 +105,11 @@ int verify_signed_buffer(const char *payload, size_t payload_size, struct strbuf *gpg_output) { struct child_process gpg; - const char *args_gpg[] = {"gpg", "--verify", "FILE", "-", NULL}; + const char *args_gpg[] = {NULL, "--verify", "FILE", "-", NULL}; char path[PATH_MAX]; int fd, ret; + args_gpg[0] = gpg_program; fd = git_mkstemp(path, PATH_MAX, ".git_vtag_tmpXXXXXX"); if (fd < 0) return error("could not create temporary file '%s': %s", -- cgit v1.2.1 From e3f55e07076f88ec01a49dcfb7c2ac56658145a4 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 4 Jan 2012 12:43:02 -0800 Subject: verify_signed_buffer: fix stale comment The function used to take an integer flag to specify where the output should go, but these days we supply a strbuf to receive it. Signed-off-by: Junio C Hamano --- gpg-interface.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/gpg-interface.c b/gpg-interface.c index 18630ff8da..09ab64aa24 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -95,10 +95,7 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig /* * Run "gpg" to see if the payload matches the detached signature. - * gpg_output_to tells where the output from "gpg" should go: - * < 0: /dev/null - * = 0: standard error of the calling process - * > 0: the specified file descriptor + * gpg_output, when set, receives the diagnostic output from GPG. */ int verify_signed_buffer(const char *payload, size_t payload_size, const char *signature, size_t signature_size, -- cgit v1.2.1 From c871a1d17b8433d98df59b03da5538f10c4ae52c Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Thu, 5 Jan 2012 10:54:14 -0800 Subject: commit --amend -S: strip existing gpgsig headers Any existing commit signature was made against the contents of the old commit, including its committer date that is about to change, and will become invalid by amending it. Signed-off-by: Junio C Hamano --- builtin/commit.c | 3 ++- commit.c | 26 ++++++++++++++++++++++---- commit.h | 4 ++-- t/t7510-signed-commit.sh | 11 ++++++++++- 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/builtin/commit.c b/builtin/commit.c index fa41ec8c87..970a83662a 100644 --- a/builtin/commit.c +++ b/builtin/commit.c @@ -1494,7 +1494,8 @@ int cmd_commit(int argc, const char **argv, const char *prefix) } if (amend) { - extra = read_commit_extra_headers(current_head); + const char *exclude_gpgsig[2] = { "gpgsig", NULL }; + extra = read_commit_extra_headers(current_head, exclude_gpgsig); } else { struct commit_extra_header **tail = &extra; append_merge_tag_headers(parents, &tail); diff --git a/commit.c b/commit.c index 27c7226abb..2162a7c572 100644 --- a/commit.c +++ b/commit.c @@ -981,14 +981,15 @@ static void add_extra_header(struct strbuf *buffer, strbuf_addch(buffer, '\n'); } -struct commit_extra_header *read_commit_extra_headers(struct commit *commit) +struct commit_extra_header *read_commit_extra_headers(struct commit *commit, + const char **exclude) { struct commit_extra_header *extra = NULL; unsigned long size; enum object_type type; char *buffer = read_sha1_file(commit->object.sha1, &type, &size); if (buffer && type == OBJ_COMMIT) - extra = read_commit_extra_header_lines(buffer, size); + extra = read_commit_extra_header_lines(buffer, size, exclude); free(buffer); return extra; } @@ -1002,7 +1003,23 @@ static inline int standard_header_field(const char *field, size_t len) (len == 8 && !memcmp(field, "encoding ", 9))); } -struct commit_extra_header *read_commit_extra_header_lines(const char *buffer, size_t size) +static int excluded_header_field(const char *field, size_t len, const char **exclude) +{ + if (!exclude) + return 0; + + while (*exclude) { + size_t xlen = strlen(*exclude); + if (len == xlen && + !memcmp(field, *exclude, xlen) && field[xlen] == ' ') + return 1; + exclude++; + } + return 0; +} + +struct commit_extra_header *read_commit_extra_header_lines(const char *buffer, size_t size, + const char **exclude) { struct commit_extra_header *extra = NULL, **tail = &extra, *it = NULL; const char *line, *next, *eof, *eob; @@ -1028,7 +1045,8 @@ struct commit_extra_header *read_commit_extra_header_lines(const char *buffer, s if (next <= eof) eof = next; - if (standard_header_field(line, eof - line)) + if (standard_header_field(line, eof - line) || + excluded_header_field(line, eof - line, exclude)) continue; it = xcalloc(1, sizeof(*it)); diff --git a/commit.h b/commit.h index 61076486df..123aea3a7c 100644 --- a/commit.h +++ b/commit.h @@ -200,8 +200,8 @@ extern int commit_tree_extended(const char *msg, unsigned char *tree, const char *author, const char *sign_commit, struct commit_extra_header *); -extern struct commit_extra_header *read_commit_extra_headers(struct commit *); -extern struct commit_extra_header *read_commit_extra_header_lines(const char *buf, size_t len); +extern struct commit_extra_header *read_commit_extra_headers(struct commit *, const char **); +extern struct commit_extra_header *read_commit_extra_header_lines(const char *buf, size_t len, const char **); extern void free_commit_extra_headers(struct commit_extra_header *extra); diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh index 30401ced07..1d3c56fe61 100755 --- a/t/t7510-signed-commit.sh +++ b/t/t7510-signed-commit.sh @@ -24,7 +24,8 @@ test_expect_success GPG 'create signed commits' ' echo 4 >file && test_tick && git commit -a -m "fourth unsigned" && git tag fourth-unsigned && - test_tick && git commit --amend -S -m "fourth signed" + test_tick && git commit --amend -S -m "fourth signed" && + git tag fourth-signed ' test_expect_success GPG 'show signatures' ' @@ -68,4 +69,12 @@ test_expect_success GPG 'detect fudged signature with NUL' ' ! grep "Good signature from" actual2 ' +test_expect_success GPG 'amending already signed commit' ' + git checkout fourth-signed^0 && + git commit --amend -S --no-edit && + git show -s --show-signature HEAD >actual && + grep "Good signature from" actual && + ! grep "BAD signature from" actual +' + test_done -- cgit v1.2.1 From c6b3ec41e2efdd9e05118c2e99ad70f0e0629873 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 4 Jan 2012 13:48:45 -0800 Subject: log-tree.c: small refactor in show_signature() The next patch needs to show the result of signature verification on a mergetag extended header in a way similar to how embedded signature for the commit object itself is shown. Separate out the logic to go through the message lines and show them in the "error" color (highlighted) or the "correct" color (dim). Signed-off-by: Junio C Hamano --- log-tree.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/log-tree.c b/log-tree.c index 142ba51427..005c5a51c0 100644 --- a/log-tree.c +++ b/log-tree.c @@ -404,13 +404,27 @@ void log_write_email_headers(struct rev_info *opt, struct commit *commit, *extra_headers_p = extra_headers; } +static void show_sig_lines(struct rev_info *opt, int status, const char *bol) +{ + const char *color, *reset, *eol; + + color = diff_get_color_opt(&opt->diffopt, + status ? DIFF_WHITESPACE : DIFF_FRAGINFO); + reset = diff_get_color_opt(&opt->diffopt, DIFF_RESET); + while (*bol) { + eol = strchrnul(bol, '\n'); + printf("%s%.*s%s%s", color, (int)(eol - bol), bol, reset, + *eol ? "\n" : ""); + bol = (*eol) ? (eol + 1) : eol; + } +} + static void show_signature(struct rev_info *opt, struct commit *commit) { struct strbuf payload = STRBUF_INIT; struct strbuf signature = STRBUF_INIT; struct strbuf gpg_output = STRBUF_INIT; int status; - const char *color, *reset, *bol, *eol; if (parse_signed_commit(commit->object.sha1, &payload, &signature) <= 0) goto out; @@ -421,17 +435,7 @@ static void show_signature(struct rev_info *opt, struct commit *commit) if (status && !gpg_output.len) strbuf_addstr(&gpg_output, "No signature\n"); - color = diff_get_color_opt(&opt->diffopt, - status ? DIFF_WHITESPACE : DIFF_FRAGINFO); - reset = diff_get_color_opt(&opt->diffopt, DIFF_RESET); - - bol = gpg_output.buf; - while (*bol) { - eol = strchrnul(bol, '\n'); - printf("%s%.*s%s%s", color, (int)(eol - bol), bol, reset, - *eol ? "\n" : ""); - bol = (*eol) ? (eol + 1) : eol; - } + show_sig_lines(opt, status, gpg_output.buf); out: strbuf_release(&gpg_output); -- cgit v1.2.1 From 824958e50b250e957998626a21763603ca30e832 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 4 Jan 2012 13:51:28 -0800 Subject: log-tree: show mergetag in log --show-signature output A commit object that merges a signed tag records the "mergetag" extended header. Check the validity of the GPG signature on it, and show it in a way similar to how "gpgsig" extended header is shown. Signed-off-by: Junio C Hamano --- log-tree.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/log-tree.c b/log-tree.c index 005c5a51c0..61a12a7cb0 100644 --- a/log-tree.c +++ b/log-tree.c @@ -443,6 +443,78 @@ static void show_signature(struct rev_info *opt, struct commit *commit) strbuf_release(&signature); } +static int which_parent(const unsigned char *sha1, const struct commit *commit) +{ + int nth; + const struct commit_list *parent; + + for (nth = 0, parent = commit->parents; parent; parent = parent->next) { + if (!hashcmp(parent->item->object.sha1, sha1)) + return nth; + nth++; + } + return -1; +} + +static void show_one_mergetag(struct rev_info *opt, + struct commit_extra_header *extra, + struct commit *commit) +{ + unsigned char sha1[20]; + struct tag *tag; + struct strbuf verify_message; + int status, nth; + size_t payload_size, gpg_message_offset; + + hash_sha1_file(extra->value, extra->len, typename(OBJ_TAG), sha1); + tag = lookup_tag(sha1); + if (!tag) + return; /* error message already given */ + + strbuf_init(&verify_message, 256); + if (parse_tag_buffer(tag, extra->value, extra->len)) + strbuf_addstr(&verify_message, "malformed mergetag\n"); + else if ((nth = which_parent(tag->tagged->sha1, commit)) < 0) + strbuf_addf(&verify_message, "tag %s names a non-parent %s\n", + tag->tag, tag->tagged->sha1); + else + strbuf_addf(&verify_message, + "parent #%d, tagged '%s'\n", nth + 1, tag->tag); + gpg_message_offset = verify_message.len; + + payload_size = parse_signature(extra->value, extra->len); + if ((extra->len <= payload_size) || + (verify_signed_buffer(extra->value, payload_size, + extra->value + payload_size, + extra->len - payload_size, + &verify_message) && + verify_message.len <= gpg_message_offset)) { + strbuf_addstr(&verify_message, "No signature\n"); + status = -1; + } + else if (strstr(verify_message.buf + gpg_message_offset, + ": Good signature from ")) + status = 0; + else + status = -1; + + show_sig_lines(opt, status, verify_message.buf); + strbuf_release(&verify_message); +} + +static void show_mergetag(struct rev_info *opt, struct commit *commit) +{ + struct commit_extra_header *extra, *to_free; + + to_free = read_commit_extra_headers(commit, NULL); + for (extra = to_free; extra; extra = extra->next) { + if (strcmp(extra->key, "mergetag")) + continue; /* not a merge tag */ + show_one_mergetag(opt, extra, commit); + } + free_commit_extra_headers(to_free); +} + void show_log(struct rev_info *opt) { struct strbuf msgbuf = STRBUF_INIT; @@ -554,8 +626,10 @@ void show_log(struct rev_info *opt) } } - if (opt->show_signature) + if (opt->show_signature) { show_signature(opt, commit); + show_mergetag(opt, commit); + } if (!commit->buffer) return; -- cgit v1.2.1 From d041ffa55a69cb6cdc3b160dc181c7e59b3bd4bb Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 4 Jan 2012 16:23:12 -0800 Subject: log --show-signature: reword the common two-head merge case While identifying the commit merged to our history as "parent #2" is technically correct, we will never say "parent #1" (as that is the tip of our history before the merge is made), and we rarely would say "parent #3" (which would mean the merge is an octopus), especially when responding to a request to pull a signed tag. Treat the most common case to merge a single commit specially, and just say "merged tag ''" instead. Signed-off-by: Junio C Hamano --- log-tree.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/log-tree.c b/log-tree.c index 61a12a7cb0..3cf569ce7e 100644 --- a/log-tree.c +++ b/log-tree.c @@ -456,6 +456,13 @@ static int which_parent(const unsigned char *sha1, const struct commit *commit) return -1; } +static int is_common_merge(const struct commit *commit) +{ + return (commit->parents + && commit->parents->next + && !commit->parents->next->next); +} + static void show_one_mergetag(struct rev_info *opt, struct commit_extra_header *extra, struct commit *commit) @@ -474,6 +481,11 @@ static void show_one_mergetag(struct rev_info *opt, strbuf_init(&verify_message, 256); if (parse_tag_buffer(tag, extra->value, extra->len)) strbuf_addstr(&verify_message, "malformed mergetag\n"); + else if (is_common_merge(commit) && + !hashcmp(tag->tagged->sha1, + commit->parents->next->item->object.sha1)) + strbuf_addf(&verify_message, + "merged tag '%s'\n", tag->tag); else if ((nth = which_parent(tag->tagged->sha1, commit)) < 0) strbuf_addf(&verify_message, "tag %s names a non-parent %s\n", tag->tag, tag->tagged->sha1); -- cgit v1.2.1