diff options
| author | Hans Jerry Illikainen <hji@dyntopia.com> | 2019-11-27 18:48:21 +0100 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2019-11-30 22:52:35 +0100 |
| commit | 72b006f4bfd30b7c5037c163efaf279ab65bea9c (patch) | |
| tree | 50fdf5a566469f65c1b496efaaee77961775322e /builtin/fmt-merge-msg.c | |
| parent | gpg-interface: limit search for primary key fingerprint (diff) | |
| download | git-72b006f4bfd30b7c5037c163efaf279ab65bea9c.tar.xz git-72b006f4bfd30b7c5037c163efaf279ab65bea9c.zip | |
gpg-interface: prefer check_signature() for GPG verification
This commit refactors the use of verify_signed_buffer() outside of
gpg-interface.c to use check_signature() instead. It also turns
verify_signed_buffer() into a file-local function since it's now only
invoked internally by check_signature().
There were previously two globally scoped functions used in different
parts of Git to perform GPG signature verification:
verify_signed_buffer() and check_signature(). Now only
check_signature() is used.
The verify_signed_buffer() function doesn't guard against duplicate
signatures as described by Michał Górny [1]. Instead it only ensures a
non-erroneous exit code from GPG and the presence of at least one
GOODSIG status field. This stands in contrast with check_signature()
that returns an error if more than one signature is encountered.
The lower degree of verification makes the use of verify_signed_buffer()
problematic if callers don't parse and validate the various parts of the
GPG status message themselves. And processing these messages seems like
a task that should be reserved to gpg-interface.c with the function
check_signature().
Furthermore, the use of verify_signed_buffer() makes it difficult to
introduce new functionality that relies on the content of the GPG status
lines.
Now all operations that does signature verification share a single entry
point to gpg-interface.c. This makes it easier to propagate changed or
additional functionality in GPG signature verification to all parts of
Git, without having odd edge-cases that don't perform the same degree of
verification.
[1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html
Signed-off-by: Hans Jerry Illikainen <hji@dyntopia.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin/fmt-merge-msg.c')
| -rw-r--r-- | builtin/fmt-merge-msg.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/builtin/fmt-merge-msg.c b/builtin/fmt-merge-msg.c index a4615587fd..f7ed102d8b 100644 --- a/builtin/fmt-merge-msg.c +++ b/builtin/fmt-merge-msg.c @@ -495,6 +495,7 @@ static void fmt_merge_msg_sigs(struct strbuf *out) enum object_type type; unsigned long size, len; char *buf = read_object_file(oid, &type, &size); + struct signature_check sigc = { 0 }; struct strbuf sig = STRBUF_INIT; if (!buf || type != OBJ_TAG) @@ -503,10 +504,12 @@ static void fmt_merge_msg_sigs(struct strbuf *out) if (size == len) ; /* merely annotated */ - else if (verify_signed_buffer(buf, len, buf + len, size - len, &sig, NULL)) { - if (!sig.len) - strbuf_addstr(&sig, "gpg verification failed.\n"); - } + else if (!check_signature(buf, len, buf + len, size - len, + &sigc)) { + strbuf_addstr(&sig, sigc.gpg_output); + signature_check_clear(&sigc); + } else + strbuf_addstr(&sig, "gpg verification failed.\n"); if (!tag_number++) { fmt_tag_signature(&tagbuf, &sig, buf, len); |