diff options
| author | brian m. carlson <sandals@crustytoothpaste.net> | 2015-06-21 23:14:43 +0000 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2015-06-22 14:20:47 -0700 |
| commit | e18443ece711564145d545b650851c4615717128 (patch) | |
| tree | 1908d85b9ea17b6f47014550d05161f244aa0180 | |
| parent | aeff29dd4dab01b497b2a2cf73e982e846a5fe4c (diff) | |
| download | git-bc/gpg-verify-raw.tar.gz | |
verify-tag: add option to print raw gpg status informationbc/gpg-verify-raw
verify-tag by default displays human-readable output on standard error.
However, it can also be useful to get access to the raw gpg status
information, which is machine-readable, allowing automated
implementation of signing policy. Add a --raw option to make verify-tag
produce the gpg status information on standard error instead of the
human-readable format.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | Documentation/git-verify-tag.txt | 4 | ||||
| -rw-r--r-- | builtin/verify-tag.c | 17 | ||||
| -rwxr-xr-x | t/t7030-verify-tag.sh | 31 |
3 files changed, 46 insertions, 6 deletions
diff --git a/Documentation/git-verify-tag.txt b/Documentation/git-verify-tag.txt index f88ba96f02..d590edcebd 100644 --- a/Documentation/git-verify-tag.txt +++ b/Documentation/git-verify-tag.txt @@ -16,6 +16,10 @@ Validates the gpg signature created by 'git tag'. OPTIONS ------- +--raw:: + Print the raw gpg status output to standard error instead of the normal + human-readable output. + -v:: --verbose:: Print the contents of the tag object before validating it. diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c index d67e3dbd10..00663f6a30 100644 --- a/builtin/verify-tag.c +++ b/builtin/verify-tag.c @@ -18,7 +18,7 @@ static const char * const verify_tag_usage[] = { NULL }; -static int run_gpg_verify(const char *buf, unsigned long size, int verbose) +static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags) { struct signature_check sigc; int len; @@ -29,19 +29,19 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose) len = parse_signature(buf, size); if (size == len) { - if (verbose) + if (flags & GPG_VERIFY_VERBOSE) write_in_full(1, buf, len); return error("no signature found"); } ret = check_signature(buf, len, buf + len, size - len, &sigc); - print_signature_buffer(&sigc, verbose ? GPG_VERIFY_VERBOSE : 0); + print_signature_buffer(&sigc, flags); signature_check_clear(&sigc); return ret; } -static int verify_tag(const char *name, int verbose) +static int verify_tag(const char *name, unsigned flags) { enum object_type type; unsigned char sha1[20]; @@ -61,7 +61,7 @@ static int verify_tag(const char *name, int verbose) if (!buf) return error("%s: unable to read file.", name); - ret = run_gpg_verify(buf, size, verbose); + ret = run_gpg_verify(buf, size, flags); free(buf); return ret; @@ -78,8 +78,10 @@ static int git_verify_tag_config(const char *var, const char *value, void *cb) int cmd_verify_tag(int argc, const char **argv, const char *prefix) { int i = 1, verbose = 0, had_error = 0; + unsigned flags = 0; const struct option verify_tag_options[] = { OPT__VERBOSE(&verbose, N_("print tag contents")), + OPT_BIT(0, "raw", &flags, N_("print raw gpg status output"), GPG_VERIFY_RAW), OPT_END() }; @@ -90,11 +92,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix) if (argc <= i) usage_with_options(verify_tag_usage, verify_tag_options); + if (verbose) + flags |= GPG_VERIFY_VERBOSE; + /* sometimes the program was terminated because this signal * was received in the process of writing the gpg input: */ signal(SIGPIPE, SIG_IGN); while (i < argc) - if (verify_tag(argv[i++], verbose)) + if (verify_tag(argv[i++], flags)) had_error = 1; return had_error; } diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh index 632bc53440..4608e71343 100755 --- a/t/t7030-verify-tag.sh +++ b/t/t7030-verify-tag.sh @@ -81,4 +81,35 @@ test_expect_success GPG 'detect fudged signature' ' ! grep "Good signature from" actual1 ' +test_expect_success GPG 'verify signatures with --raw' ' + ( + for tag in initial second merge fourth-signed sixth-signed seventh-signed + do + git verify-tag --raw $tag 2>actual && + grep "GOODSIG" actual && + ! grep "BADSIG" actual && + echo $tag OK || exit 1 + done + ) && + ( + for tag in fourth-unsigned fifth-unsigned sixth-unsigned + do + test_must_fail git verify-tag --raw $tag 2>actual && + ! grep "GOODSIG" actual && + ! grep "BADSIG" actual && + echo $tag OK || exit 1 + done + ) && + ( + for tag in eighth-signed-alt + do + git verify-tag --raw $tag 2>actual && + grep "GOODSIG" actual && + ! grep "BADSIG" actual && + grep "TRUST_UNDEFINED" actual && + echo $tag OK || exit 1 + done + ) +' + test_done |