[thirdparty/git.git] / t / t7612-merge-verify-signatures.sh

#!/bin/sh

test_description='merge signature verification tests'
GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME

. ./test-lib.sh
. "$TEST_DIRECTORY/lib-gpg.sh"

test_expect_success GPG 'create signed commits' '
	echo 1 >file && git add file &&
	test_tick && git commit -m initial &&
	git tag initial &&

	git checkout -b side-signed &&
	echo 3 >elif && git add elif &&
	test_tick && git commit -S -m "signed on side" &&
	git checkout initial &&

	git checkout -b side-unsigned &&
	echo 3 >foo && git add foo &&
	test_tick && git commit -m "unsigned on side" &&
	git checkout initial &&

	git checkout -b side-bad &&
	echo 3 >bar && git add bar &&
	test_tick && git commit -S -m "bad on side" &&
	git cat-file commit side-bad >raw &&
	sed -e "s/^bad/forged bad/" raw >forged &&
	git hash-object -w -t commit forged >forged.commit &&
	git checkout initial &&

	git checkout -b side-untrusted &&
	echo 3 >baz && git add baz &&
	test_tick && git commit -SB7227189 -m "untrusted on side" &&

	git checkout main
'

test_expect_success GPG 'merge unsigned commit with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_must_fail git merge --ff-only --verify-signatures side-unsigned 2>mergeerror &&
	test_i18ngrep "does not have a GPG signature" mergeerror
'

test_expect_success GPG 'merge unsigned commit with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_must_fail git merge --ff-only side-unsigned 2>mergeerror &&
	test_i18ngrep "does not have a GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with bad signature with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_must_fail git merge --ff-only --verify-signatures $(cat forged.commit) 2>mergeerror &&
	test_i18ngrep "has a bad GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_must_fail git merge --ff-only $(cat forged.commit) 2>mergeerror &&
	test_i18ngrep "has a bad GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with verification and high minTrustLevel' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config gpg.minTrustLevel marginal &&
	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with verification and low minTrustLevel' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config gpg.minTrustLevel undefined &&
	git merge --ff-only --verify-signatures side-untrusted >mergeoutput &&
	test_i18ngrep "has a good GPG signature" mergeoutput
'

test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true and minTrustLevel' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	test_config gpg.minTrustLevel marginal &&
	test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
	test_i18ngrep "has an untrusted GPG signature" mergeerror
'

test_expect_success GPG 'merge signed commit with verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&
	test_i18ngrep "has a good GPG signature" mergeoutput
'

test_expect_success GPG 'merge signed commit with merge.verifySignatures=true' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	git merge --verbose --ff-only side-signed >mergeoutput &&
	test_i18ngrep "has a good GPG signature" mergeoutput
'

test_expect_success GPG 'merge commit with bad signature without verification' '
	test_when_finished "git reset --hard && git checkout initial" &&
	git merge $(cat forged.commit)
'

test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=false' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures false &&
	git merge $(cat forged.commit)
'

test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true and --no-verify-signatures' '
	test_when_finished "git reset --hard && git checkout initial" &&
	test_config merge.verifySignatures true &&
	git merge --no-verify-signatures $(cat forged.commit)
'

test_expect_success GPG 'merge unsigned commit into unborn branch' '
	test_when_finished "git checkout initial" &&
	git checkout --orphan unborn &&
	test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
	test_i18ngrep "does not have a GPG signature" mergeerror
'

test_done
Commit	Line	Data
efed0022 SG	1	#!/bin/sh
	2
	3	test_description='merge signature verification tests'
1e2ae142	4	GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
334afbc7 JS	5	export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
334afbc7 JS	6
efed0022 SG	7	. ./test-lib.sh
	8	. "$TEST_DIRECTORY/lib-gpg.sh"
	9
	10	test_expect_success GPG 'create signed commits' '
	11	echo 1 >file && git add file &&
	12	test_tick && git commit -m initial &&
	13	git tag initial &&
	14
	15	git checkout -b side-signed &&
	16	echo 3 >elif && git add elif &&
	17	test_tick && git commit -S -m "signed on side" &&
	18	git checkout initial &&
	19
	20	git checkout -b side-unsigned &&
	21	echo 3 >foo && git add foo &&
	22	test_tick && git commit -m "unsigned on side" &&
	23	git checkout initial &&
	24
	25	git checkout -b side-bad &&
	26	echo 3 >bar && git add bar &&
	27	test_tick && git commit -S -m "bad on side" &&
	28	git cat-file commit side-bad >raw &&
2f3cbcd8	29	sed -e "s/^bad/forged bad/" raw >forged &&
efed0022 SG	30	git hash-object -w -t commit forged >forged.commit &&
	31	git checkout initial &&
	32
eb307ae7 SG	33	git checkout -b side-untrusted &&
eb307ae7 SG	34	echo 3 >baz && git add baz &&
99094a7a	35	test_tick && git commit -SB7227189 -m "untrusted on side" &&
eb307ae7	36
1e2ae142	37	git checkout main
efed0022 SG	38	'
	39
	40	test_expect_success GPG 'merge unsigned commit with verification' '
fb2afea3	41	test_when_finished "git reset --hard && git checkout initial" &&
efed0022 SG	42	test_must_fail git merge --ff-only --verify-signatures side-unsigned 2>mergeerror &&
	43	test_i18ngrep "does not have a GPG signature" mergeerror
	44	'
	45
ca779e82	46	test_expect_success GPG 'merge unsigned commit with merge.verifySignatures=true' '
fb2afea3	47	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82 HJI	48	test_config merge.verifySignatures true &&
	49	test_must_fail git merge --ff-only side-unsigned 2>mergeerror &&
	50	test_i18ngrep "does not have a GPG signature" mergeerror
	51	'
	52
efed0022	53	test_expect_success GPG 'merge commit with bad signature with verification' '
fb2afea3	54	test_when_finished "git reset --hard && git checkout initial" &&
efed0022 SG	55	test_must_fail git merge --ff-only --verify-signatures $(cat forged.commit) 2>mergeerror &&
	56	test_i18ngrep "has a bad GPG signature" mergeerror
	57	'
	58
ca779e82	59	test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true' '
fb2afea3	60	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82 HJI	61	test_config merge.verifySignatures true &&
	62	test_must_fail git merge --ff-only $(cat forged.commit) 2>mergeerror &&
	63	test_i18ngrep "has a bad GPG signature" mergeerror
	64	'
	65
eb307ae7	66	test_expect_success GPG 'merge commit with untrusted signature with verification' '
fb2afea3	67	test_when_finished "git reset --hard && git checkout initial" &&
eb307ae7 SG	68	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
	69	test_i18ngrep "has an untrusted GPG signature" mergeerror
	70	'
	71
54887b46 HJI	72	test_expect_success GPG 'merge commit with untrusted signature with verification and high minTrustLevel' '
	73	test_when_finished "git reset --hard && git checkout initial" &&
	74	test_config gpg.minTrustLevel marginal &&
	75	test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
	76	test_i18ngrep "has an untrusted GPG signature" mergeerror
	77	'
	78
	79	test_expect_success GPG 'merge commit with untrusted signature with verification and low minTrustLevel' '
	80	test_when_finished "git reset --hard && git checkout initial" &&
	81	test_config gpg.minTrustLevel undefined &&
	82	git merge --ff-only --verify-signatures side-untrusted >mergeoutput &&
	83	test_i18ngrep "has a good GPG signature" mergeoutput
	84	'
	85
ca779e82	86	test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' '
fb2afea3	87	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82 HJI	88	test_config merge.verifySignatures true &&
	89	test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
	90	test_i18ngrep "has an untrusted GPG signature" mergeerror
	91	'
	92
54887b46 HJI	93	test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true and minTrustLevel' '
	94	test_when_finished "git reset --hard && git checkout initial" &&
	95	test_config merge.verifySignatures true &&
	96	test_config gpg.minTrustLevel marginal &&
	97	test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
	98	test_i18ngrep "has an untrusted GPG signature" mergeerror
	99	'
	100
efed0022	101	test_expect_success GPG 'merge signed commit with verification' '
fb2afea3	102	test_when_finished "git reset --hard && git checkout initial" &&
efed0022 SG	103	git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&
	104	test_i18ngrep "has a good GPG signature" mergeoutput
	105	'
	106
ca779e82	107	test_expect_success GPG 'merge signed commit with merge.verifySignatures=true' '
fb2afea3	108	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82 HJI	109	test_config merge.verifySignatures true &&
	110	git merge --verbose --ff-only side-signed >mergeoutput &&
	111	test_i18ngrep "has a good GPG signature" mergeoutput
	112	'
	113
efed0022	114	test_expect_success GPG 'merge commit with bad signature without verification' '
fb2afea3	115	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82 HJI	116	git merge $(cat forged.commit)
	117	'
	118
	119	test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=false' '
fb2afea3	120	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82	121	test_config merge.verifySignatures false &&
efed0022 SG	122	git merge $(cat forged.commit)
	123	'
	124
ca779e82	125	test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true and --no-verify-signatures' '
fb2afea3	126	test_when_finished "git reset --hard && git checkout initial" &&
ca779e82 HJI	127	test_config merge.verifySignatures true &&
	128	git merge --no-verify-signatures $(cat forged.commit)
	129	'
	130
7488ba3e JK	131	test_expect_success GPG 'merge unsigned commit into unborn branch' '
	132	test_when_finished "git checkout initial" &&
	133	git checkout --orphan unborn &&
	134	test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
	135	test_i18ngrep "does not have a GPG signature" mergeerror
	136	'
	137
efed0022	138	test_done