1#!/bin/sh
2
3test_description='signed commit tests'
4GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
5export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
6
7. ./test-lib.sh
8GNUPGHOME_NOT_USED=$GNUPGHOME
9. "$TEST_DIRECTORY/lib-gpg.sh"
10
11test_expect_success GPG 'create signed commits' '
12	test_oid_cache <<-\EOF &&
13	header sha1:gpgsig
14	header sha256:gpgsig-sha256
15	EOF
16
17	test_when_finished "test_unconfig commit.gpgsign" &&
18
19	echo 1 >file && git add file &&
20	test_tick && git commit -S -m initial &&
21	git tag initial &&
22	git branch side &&
23
24	echo 2 >file && test_tick && git commit -a -S -m second &&
25	git tag second &&
26
27	git checkout side &&
28	echo 3 >elif && git add elif &&
29	test_tick && git commit -m "third on side" &&
30
31	git checkout main &&
32	test_tick && git merge -S side &&
33	git tag merge &&
34
35	echo 4 >file && test_tick && git commit -a -m "fourth unsigned" &&
36	git tag fourth-unsigned &&
37
38	test_tick && git commit --amend -S -m "fourth signed" &&
39	git tag fourth-signed &&
40
41	git config commit.gpgsign true &&
42	echo 5 >file && test_tick && git commit -a -m "fifth signed" &&
43	git tag fifth-signed &&
44
45	git config commit.gpgsign false &&
46	echo 6 >file && test_tick && git commit -a -m "sixth" &&
47	git tag sixth-unsigned &&
48
49	git config commit.gpgsign true &&
50	echo 7 >file && test_tick && git commit -a -m "seventh" --no-gpg-sign &&
51	git tag seventh-unsigned &&
52
53	test_tick && git rebase -f HEAD^^ && git tag sixth-signed HEAD^ &&
54	git tag seventh-signed &&
55
56	echo 8 >file && test_tick && git commit -a -m eighth -SB7227189 &&
57	git tag eighth-signed-alt &&
58
59	# commit.gpgsign is still on but this must not be signed
60	echo 9 | git commit-tree HEAD^{tree} >oid &&
61	test_line_count = 1 oid &&
62	git tag ninth-unsigned $(cat oid) &&
63	# explicit -S of course must sign.
64	echo 10 | git commit-tree -S HEAD^{tree} >oid &&
65	test_line_count = 1 oid &&
66	git tag tenth-signed $(cat oid) &&
67
68	# --gpg-sign[=<key-id>] must sign.
69	echo 11 | git commit-tree --gpg-sign HEAD^{tree} >oid &&
70	test_line_count = 1 oid &&
71	git tag eleventh-signed $(cat oid) &&
72	echo 12 | git commit-tree --gpg-sign=B7227189 HEAD^{tree} >oid &&
73	test_line_count = 1 oid &&
74	git tag twelfth-signed-alt $(cat oid) &&
75
76	cat >keydetails <<-\EOF &&
77	Key-Type: RSA
78	Key-Length: 2048
79	Subkey-Type: RSA
80	Subkey-Length: 2048
81	Name-Real: Unknown User
82	Name-Email: unknown@git.com
83	Expire-Date: 0
84	%no-ask-passphrase
85	%no-protection
86	EOF
87	gpg --batch --gen-key keydetails &&
88	echo 13 >file && git commit -a -S"unknown@git.com" -m thirteenth &&
89	git tag thirteenth-signed &&
90	DELETE_FINGERPRINT=$(gpg -K --with-colons --fingerprint --batch unknown@git.com | grep "^fpr" | head -n 1 | awk -F ":" "{print \$10;}") &&
91	gpg --batch --yes --delete-secret-keys $DELETE_FINGERPRINT &&
92	gpg --batch --yes --delete-keys unknown@git.com
93'
94
95test_expect_success GPG 'verify and show signatures' '
96	(
97		for commit in initial second merge fourth-signed \
98			fifth-signed sixth-signed seventh-signed tenth-signed \
99			eleventh-signed
100		do
101			git verify-commit $commit &&
102			git show --pretty=short --show-signature $commit >actual &&
103			grep "Good signature from" actual &&
104			! grep "BAD signature from" actual &&
105			echo $commit OK || exit 1
106		done
107	) &&
108	(
109		for commit in merge^2 fourth-unsigned sixth-unsigned \
110			seventh-unsigned ninth-unsigned
111		do
112			test_must_fail git verify-commit $commit &&
113			git show --pretty=short --show-signature $commit >actual &&
114			! grep "Good signature from" actual &&
115			! grep "BAD signature from" actual &&
116			echo $commit OK || exit 1
117		done
118	) &&
119	(
120		for commit in eighth-signed-alt twelfth-signed-alt
121		do
122			git show --pretty=short --show-signature $commit >actual &&
123			grep "Good signature from" actual &&
124			! grep "BAD signature from" actual &&
125			grep "not certified" actual &&
126			echo $commit OK || exit 1
127		done
128	)
129'
130
131test_expect_success GPG 'verify-commit exits failure on unknown signature' '
132	test_must_fail git verify-commit thirteenth-signed 2>actual &&
133	! grep "Good signature from" actual &&
134	! grep "BAD signature from" actual &&
135	grep -q -F -e "No public key" -e "public key not found" actual
136'
137
138test_expect_success GPG 'verify-commit exits success on untrusted signature' '
139	git verify-commit eighth-signed-alt 2>actual &&
140	grep "Good signature from" actual &&
141	! grep "BAD signature from" actual &&
142	grep "not certified" actual
143'
144
145test_expect_success GPG 'verify-commit exits success with matching minTrustLevel' '
146	test_config gpg.minTrustLevel ultimate &&
147	git verify-commit sixth-signed
148'
149
150test_expect_success GPG 'verify-commit exits success with low minTrustLevel' '
151	test_config gpg.minTrustLevel fully &&
152	git verify-commit sixth-signed
153'
154
155test_expect_success GPG 'verify-commit exits failure with high minTrustLevel' '
156	test_config gpg.minTrustLevel ultimate &&
157	test_must_fail git verify-commit eighth-signed-alt
158'
159
160test_expect_success GPG 'verify signatures with --raw' '
161	(
162		for commit in initial second merge fourth-signed fifth-signed sixth-signed seventh-signed
163		do
164			git verify-commit --raw $commit 2>actual &&
165			grep "GOODSIG" actual &&
166			! grep "BADSIG" actual &&
167			echo $commit OK || exit 1
168		done
169	) &&
170	(
171		for commit in merge^2 fourth-unsigned sixth-unsigned seventh-unsigned
172		do
173			test_must_fail git verify-commit --raw $commit 2>actual &&
174			! grep "GOODSIG" actual &&
175			! grep "BADSIG" actual &&
176			echo $commit OK || exit 1
177		done
178	) &&
179	(
180		for commit in eighth-signed-alt
181		do
182			git verify-commit --raw $commit 2>actual &&
183			grep "GOODSIG" actual &&
184			! grep "BADSIG" actual &&
185			grep "TRUST_UNDEFINED" actual &&
186			echo $commit OK || exit 1
187		done
188	)
189'
190
191test_expect_success GPG 'proper header is used for hash algorithm' '
192	git cat-file commit fourth-signed >output &&
193	grep "^$(test_oid header) -----BEGIN PGP SIGNATURE-----" output
194'
195
196test_expect_success GPG 'show signed commit with signature' '
197	git show -s initial >commit &&
198	git show -s --show-signature initial >show &&
199	git verify-commit -v initial >verify.1 2>verify.2 &&
200	git cat-file commit initial >cat &&
201	grep -v -e "gpg: " -e "Warning: " show >show.commit &&
202	grep -e "gpg: " -e "Warning: " show >show.gpg &&
203	grep -v "^ " cat | grep -v "^gpgsig.* " >cat.commit &&
204	test_cmp show.commit commit &&
205	test_cmp show.gpg verify.2 &&
206	test_cmp cat.commit verify.1
207'
208
209test_expect_success GPG 'detect fudged signature' '
210	git cat-file commit seventh-signed >raw &&
211	sed -e "s/^seventh/7th forged/" raw >forged1 &&
212	git hash-object -w -t commit forged1 >forged1.commit &&
213	test_must_fail git verify-commit $(cat forged1.commit) &&
214	git show --pretty=short --show-signature $(cat forged1.commit) >actual1 &&
215	grep "BAD signature from" actual1 &&
216	! grep "Good signature from" actual1
217'
218
219test_expect_success GPG 'detect fudged signature with NUL' '
220	git cat-file commit seventh-signed >raw &&
221	cat raw >forged2 &&
222	echo Qwik | tr "Q" "\000" >>forged2 &&
223	git hash-object -w -t commit forged2 >forged2.commit &&
224	test_must_fail git verify-commit $(cat forged2.commit) &&
225	git show --pretty=short --show-signature $(cat forged2.commit) >actual2 &&
226	grep "BAD signature from" actual2 &&
227	! grep "Good signature from" actual2
228'
229
230test_expect_success GPG 'amending already signed commit' '
231	git checkout fourth-signed^0 &&
232	git commit --amend -S --no-edit &&
233	git verify-commit HEAD &&
234	git show -s --show-signature HEAD >actual &&
235	grep "Good signature from" actual &&
236	! grep "BAD signature from" actual
237'
238
239test_expect_success GPG 'show good signature with custom format' '
240	cat >expect <<-\EOF &&
241	G
242	13B6F51ECDDE430D
243	C O Mitter <committer@example.com>
244	73D758744BE721698EC54E8713B6F51ECDDE430D
245	73D758744BE721698EC54E8713B6F51ECDDE430D
246	EOF
247	git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" sixth-signed >actual &&
248	test_cmp expect actual
249'
250
251test_expect_success GPG 'show bad signature with custom format' '
252	cat >expect <<-\EOF &&
253	B
254	13B6F51ECDDE430D
255	C O Mitter <committer@example.com>
256
257
258	EOF
259	git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" $(cat forged1.commit) >actual &&
260	test_cmp expect actual
261'
262
263test_expect_success GPG 'show untrusted signature with custom format' '
264	cat >expect <<-\EOF &&
265	U
266	65A0EEA02E30CAD7
267	Eris Discordia <discord@example.net>
268	F8364A59E07FFE9F4D63005A65A0EEA02E30CAD7
269	D4BE22311AD3131E5EDA29A461092E85B7227189
270	EOF
271	git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual &&
272	test_cmp expect actual
273'
274
275test_expect_success GPG 'show untrusted signature with undefined trust level' '
276	cat >expect <<-\EOF &&
277	undefined
278	65A0EEA02E30CAD7
279	Eris Discordia <discord@example.net>
280	F8364A59E07FFE9F4D63005A65A0EEA02E30CAD7
281	D4BE22311AD3131E5EDA29A461092E85B7227189
282	EOF
283	git log -1 --format="%GT%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual &&
284	test_cmp expect actual
285'
286
287test_expect_success GPG 'show untrusted signature with ultimate trust level' '
288	cat >expect <<-\EOF &&
289	ultimate
290	13B6F51ECDDE430D
291	C O Mitter <committer@example.com>
292	73D758744BE721698EC54E8713B6F51ECDDE430D
293	73D758744BE721698EC54E8713B6F51ECDDE430D
294	EOF
295	git log -1 --format="%GT%n%GK%n%GS%n%GF%n%GP" sixth-signed >actual &&
296	test_cmp expect actual
297'
298
299test_expect_success GPG 'show unknown signature with custom format' '
300	cat >expect <<-\EOF &&
301	E
302	65A0EEA02E30CAD7
303
304
305
306	EOF
307	GNUPGHOME="$GNUPGHOME_NOT_USED" git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" eighth-signed-alt >actual &&
308	test_cmp expect actual
309'
310
311test_expect_success GPG 'show lack of signature with custom format' '
312	cat >expect <<-\EOF &&
313	N
314
315
316
317
318	EOF
319	git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" seventh-unsigned >actual &&
320	test_cmp expect actual
321'
322
323test_expect_success GPG 'log.showsignature behaves like --show-signature' '
324	test_config log.showsignature true &&
325	git show initial >actual &&
326	grep "gpg: Signature made" actual &&
327	grep "gpg: Good signature" actual
328'
329
330test_expect_success GPG 'check config gpg.format values' '
331	test_config gpg.format openpgp &&
332	git commit -S --amend -m "success" &&
333	test_config gpg.format OpEnPgP &&
334	test_must_fail git commit -S --amend -m "fail"
335'
336
337test_expect_success GPG 'detect fudged commit with double signature' '
338	sed -e "/gpgsig/,/END PGP/d" forged1 >double-base &&
339	sed -n -e "/gpgsig/,/END PGP/p" forged1 | \
340		sed -e "s/^$(test_oid header)//;s/^ //" | gpg --dearmor >double-sig1.sig &&
341	gpg -o double-sig2.sig -u 29472784 --detach-sign double-base &&
342	cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc &&
343	sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/$(test_oid header) /;2,\$s/^/ /" \
344		double-combined.asc > double-gpgsig &&
345	sed -e "/committer/r double-gpgsig" double-base >double-commit &&
346	git hash-object -w -t commit double-commit >double-commit.commit &&
347	test_must_fail git verify-commit $(cat double-commit.commit) &&
348	git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual &&
349	grep "BAD signature from" double-actual &&
350	grep "Good signature from" double-actual
351'
352
353test_expect_success GPG 'show double signature with custom format' '
354	cat >expect <<-\EOF &&
355	E
356
357
358
359
360	EOF
361	git log -1 --format="%G?%n%GK%n%GS%n%GF%n%GP" $(cat double-commit.commit) >actual &&
362	test_cmp expect actual
363'
364
365
366# NEEDSWORK: This test relies on the test_tick commit/author dates from the first
367# 'create signed commits' test even though it creates its own
368test_expect_success GPG 'verify-commit verifies multiply signed commits' '
369	git init multiply-signed &&
370	cd multiply-signed &&
371	test_commit first &&
372	echo 1 >second &&
373	git add second &&
374	tree=$(git write-tree) &&
375	parent=$(git rev-parse HEAD^{commit}) &&
376	git commit --gpg-sign -m second &&
377	git cat-file commit HEAD &&
378	# Avoid trailing whitespace.
379	sed -e "s/^Q//" -e "s/^Z/ /" >commit <<-EOF &&
380	Qtree $tree
381	Qparent $parent
382	Qauthor A U Thor <author@example.com> 1112912653 -0700
383	Qcommitter C O Mitter <committer@example.com> 1112912653 -0700
384	Qgpgsig -----BEGIN PGP SIGNATURE-----
385	QZ
386	Q iHQEABECADQWIQRz11h0S+chaY7FTocTtvUezd5DDQUCX/uBDRYcY29tbWl0dGVy
387	Q QGV4YW1wbGUuY29tAAoJEBO29R7N3kMNd+8AoK1I8mhLHviPH+q2I5fIVgPsEtYC
388	Q AKCTqBh+VabJceXcGIZuF0Ry+udbBQ==
389	Q =tQ0N
390	Q -----END PGP SIGNATURE-----
391	Qgpgsig-sha256 -----BEGIN PGP SIGNATURE-----
392	QZ
393	Q iHQEABECADQWIQRz11h0S+chaY7FTocTtvUezd5DDQUCX/uBIBYcY29tbWl0dGVy
394	Q QGV4YW1wbGUuY29tAAoJEBO29R7N3kMN/NEAn0XO9RYSBj2dFyozi0JKSbssYMtO
395	Q AJwKCQ1BQOtuwz//IjU8TiS+6S4iUw==
396	Q =pIwP
397	Q -----END PGP SIGNATURE-----
398	Q
399	Qsecond
400	EOF
401	head=$(git hash-object -t commit -w commit) &&
402	git reset --hard $head &&
403	git verify-commit $head 2>actual &&
404	grep "Good signature from" actual &&
405	! grep "BAD signature from" actual
406'
407
408test_done
409