From efed0022492b81bf59d29193c4ffe96492dd9e9b Mon Sep 17 00:00:00 2001
From: Sebastian Götte <jaseg@physik.tu-berlin.de>
Date: Sun, 31 Mar 2013 18:02:24 +0200
Subject: merge/pull: verify GPG signatures of commits being merged
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When --verify-signatures is specified on the command-line of git-merge
or git-pull, check whether the commits being merged have good gpg
signatures and abort the merge in case they do not. This allows e.g.
auto-deployment from untrusted repo hosts.

Signed-off-by: Sebastian Götte <jaseg@physik-pool.tu-berlin.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin/merge.c | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

(limited to 'builtin/merge.c')

diff --git a/builtin/merge.c b/builtin/merge.c
index 7c8922c8b0..e57c42c622 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -49,7 +49,7 @@ static const char * const builtin_merge_usage[] = {
 static int show_diffstat = 1, shortlog_len = -1, squash;
 static int option_commit = 1, allow_fast_forward = 1;
 static int fast_forward_only, option_edit = -1;
-static int allow_trivial = 1, have_message;
+static int allow_trivial = 1, have_message, verify_signatures;
 static int overwrite_ignore = 1;
 static struct strbuf merge_msg = STRBUF_INIT;
 static struct strategy **use_strategies;
@@ -199,6 +199,8 @@ static struct option builtin_merge_options[] = {
 	OPT_BOOLEAN(0, "ff-only", &fast_forward_only,
 		N_("abort if fast-forward is not possible")),
 	OPT_RERERE_AUTOUPDATE(&allow_rerere_auto),
+	OPT_BOOL(0, "verify-signatures", &verify_signatures,
+		N_("Verify that the named commit has a valid GPG signature")),
 	OPT_CALLBACK('s', "strategy", &use_strategies, N_("strategy"),
 		N_("merge strategy to use"), option_parse_strategy),
 	OPT_CALLBACK('X', "strategy-option", &xopts, N_("option=value"),
@@ -1233,6 +1235,36 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 		usage_with_options(builtin_merge_usage,
 			builtin_merge_options);
 
+	if (verify_signatures) {
+		for (p = remoteheads; p; p = p->next) {
+			struct commit *commit = p->item;
+			char hex[41];
+			struct signature_check signature_check;
+			memset(&signature_check, 0, sizeof(signature_check));
+
+			check_commit_signature(commit, &signature_check);
+
+			strcpy(hex, find_unique_abbrev(commit->object.sha1, DEFAULT_ABBREV));
+			switch (signature_check.result) {
+			case 'G':
+				break;
+			case 'B':
+				die(_("Commit %s has a bad GPG signature "
+				      "allegedly by %s."), hex, signature_check.signer);
+			default: /* 'N' */
+				die(_("Commit %s does not have a GPG signature."), hex);
+			}
+			if (verbosity >= 0 && signature_check.result == 'G')
+				printf(_("Commit %s has a good GPG signature by %s\n"),
+				       hex, signature_check.signer);
+
+			free(signature_check.gpg_output);
+			free(signature_check.gpg_status);
+			free(signature_check.signer);
+			free(signature_check.key);
+		}
+	}
+
 	strbuf_addstr(&buf, "merge");
 	for (p = remoteheads; p; p = p->next)
 		strbuf_addf(&buf, " %s", merge_remote_util(p->item)->name);
-- 
cgit v1.2.3


From eb307ae7bb78ccde4e2ac69f302ccf8834883628 Mon Sep 17 00:00:00 2001
From: Sebastian Götte <jaseg@physik.tu-berlin.de>
Date: Sun, 31 Mar 2013 18:02:46 +0200
Subject: merge/pull Check for untrusted good GPG signatures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When --verify-signatures is specified, abort the merge in case a good
GPG signature from an untrusted key is encountered.

Signed-off-by: Sebastian Götte <jaseg@physik-pool.tu-berlin.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 Documentation/merge-options.txt    |   4 ++--
 builtin/merge.c                    |   3 +++
 commit.c                           |  14 +++++++++-----
 commit.h                           |  10 +++++-----
 gpg-interface.h                    |   1 +
 t/lib-gpg/pubring.gpg              | Bin 1164 -> 2359 bytes
 t/lib-gpg/random_seed              | Bin 600 -> 600 bytes
 t/lib-gpg/secring.gpg              | Bin 1237 -> 3734 bytes
 t/lib-gpg/trustdb.gpg              | Bin 1280 -> 1360 bytes
 t/t7612-merge-verify-signatures.sh |   9 +++++++++
 10 files changed, 29 insertions(+), 12 deletions(-)

(limited to 'builtin/merge.c')

diff --git a/Documentation/merge-options.txt b/Documentation/merge-options.txt
index 31f1067521..a0f022b41d 100644
--- a/Documentation/merge-options.txt
+++ b/Documentation/merge-options.txt
@@ -85,8 +85,8 @@ option can be used to override --squash.
 
 --verify-signatures::
 --no-verify-signatures::
-	Verify that the commits being merged have good GPG signatures and abort the
-	merge in case they do not.
+	Verify that the commits being merged have good and trusted GPG signatures
+	and abort the merge in case they do not.
 
 --summary::
 --no-summary::
diff --git a/builtin/merge.c b/builtin/merge.c
index e57c42c622..bac11d1605 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1248,6 +1248,9 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
 			switch (signature_check.result) {
 			case 'G':
 				break;
+			case 'U':
+				die(_("Commit %s has an untrusted GPG signature, "
+				      "allegedly by %s."), hex, signature_check.signer);
 			case 'B':
 				die(_("Commit %s has a bad GPG signature "
 				      "allegedly by %s."), hex, signature_check.signer);
diff --git a/commit.c b/commit.c
index 94029c9496..516a4ff7d2 100644
--- a/commit.c
+++ b/commit.c
@@ -1047,6 +1047,8 @@ static struct {
 } sigcheck_gpg_status[] = {
 	{ 'G', "\n[GNUPG:] GOODSIG " },
 	{ 'B', "\n[GNUPG:] BADSIG " },
+	{ 'U', "\n[GNUPG:] TRUST_NEVER" },
+	{ 'U', "\n[GNUPG:] TRUST_UNDEFINED" },
 };
 
 static void parse_gpg_output(struct signature_check *sigc)
@@ -1068,11 +1070,13 @@ static void parse_gpg_output(struct signature_check *sigc)
 			found += strlen(sigcheck_gpg_status[i].check);
 		}
 		sigc->result = sigcheck_gpg_status[i].result;
-		sigc->key = xmemdupz(found, 16);
-		found += 17;
-		next = strchrnul(found, '\n');
-		sigc->signer = xmemdupz(found, next - found);
-		break;
+		/* The trust messages are not followed by key/signer information */
+		if (sigc->result != 'U') {
+			sigc->key = xmemdupz(found, 16);
+			found += 17;
+			next = strchrnul(found, '\n');
+			sigc->signer = xmemdupz(found, next - found);
+		}
 	}
 }
 
diff --git a/commit.h b/commit.h
index c24b844ad6..87b4b6cc0c 100644
--- a/commit.h
+++ b/commit.h
@@ -234,11 +234,11 @@ extern void print_commit_list(struct commit_list *list,
 			      const char *format_last);
 
 /*
- * Check the signature of the given commit. The result of the check is stored in
- * sig->result, 'G' for a good signature, 'B' for a bad signature and 'N'
- * for no signature at all.
- * This may allocate memory for sig->gpg_output, sig->gpg_status, sig->signer
- * and sig->key.
+ * Check the signature of the given commit. The result of the check is stored
+ * in sig->check_result, 'G' for a good signature, 'U' for a good signature
+ * from an untrusted signer, 'B' for a bad signature and 'N' for no signature
+ * at all.  This may allocate memory for sig->gpg_output, sig->gpg_status,
+ * sig->signer and sig->key.
  */
 extern void check_commit_signature(const struct commit* commit, struct signature_check *sigc);
 
diff --git a/gpg-interface.h b/gpg-interface.h
index 5884aa4052..a85cb5bc97 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -6,6 +6,7 @@ struct signature_check {
 	char *gpg_status;
 	char result; /* 0 (not checked),
 		      * N (checked but no further result),
+		      * U (untrusted good),
 		      * G (good)
 		      * B (bad) */
 	char *signer;
diff --git a/t/lib-gpg/pubring.gpg b/t/lib-gpg/pubring.gpg
index 83855fa4e1..1a3c2d487c 100644
Binary files a/t/lib-gpg/pubring.gpg and b/t/lib-gpg/pubring.gpg differ
diff --git a/t/lib-gpg/random_seed b/t/lib-gpg/random_seed
index 8fed1339ed..95d249f15f 100644
Binary files a/t/lib-gpg/random_seed and b/t/lib-gpg/random_seed differ
diff --git a/t/lib-gpg/secring.gpg b/t/lib-gpg/secring.gpg
index d831cd9eb3..82dca8f80b 100644
Binary files a/t/lib-gpg/secring.gpg and b/t/lib-gpg/secring.gpg differ
diff --git a/t/lib-gpg/trustdb.gpg b/t/lib-gpg/trustdb.gpg
index abace962b8..4879ae9a84 100644
Binary files a/t/lib-gpg/trustdb.gpg and b/t/lib-gpg/trustdb.gpg differ
diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh
index 6ccfbf367a..21a0bf8fb8 100755
--- a/t/t7612-merge-verify-signatures.sh
+++ b/t/t7612-merge-verify-signatures.sh
@@ -27,6 +27,10 @@ test_expect_success GPG 'create signed commits' '
 	git hash-object -w -t commit forged >forged.commit &&
 	git checkout initial &&
 
+	git checkout -b side-untrusted &&
+	echo 3 >baz && git add baz &&
+	test_tick && git commit -SB7227189 -m "untrusted on side"
+
 	git checkout master
 '
 
@@ -40,6 +44,11 @@ test_expect_success GPG 'merge commit with bad signature with verification' '
 	test_i18ngrep "has a bad GPG signature" mergeerror
 '
 
+test_expect_success GPG 'merge commit with untrusted signature with verification' '
+	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
+	test_i18ngrep "has an untrusted GPG signature" mergeerror
+'
+
 test_expect_success GPG 'merge signed commit with verification' '
 	git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&
 	test_i18ngrep "has a good GPG signature" mergeoutput
-- 
cgit v1.2.3