verify-tag: add option to print raw gpg status information

verify-tag by default displays human-readable output on standard error.
However, it can also be useful to get access to the raw gpg status
information, which is machine-readable, allowing automated
implementation of signing policy.  Add a --raw option to make verify-tag
produce the gpg status information on standard error instead of the
human-readable format.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Documentation/git-verify-tag.txt b/Documentation/git-verify-tag.txt
index f88ba96f023ac9f497f01ef699d0931a6d14e59a..d590edcebd99a3c9321cfdc00499aa6996b78a5b 100644 (file)
--- a/Documentation/git-verify-tag.txt
+++ b/Documentation/git-verify-tag.txt
@@ -16,6 +16,10 @@ Validates the gpg signature created by 'git tag'.
 
 OPTIONS
 -------
+--raw::
+       Print the raw gpg status output to standard error instead of the normal
+       human-readable output.
+
 -v::
 --verbose::
        Print the contents of the tag object before validating it.

diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
index d67e3dbd10f651799c8632f65ea043e95b9b4133..00663f6a3003976aaa33f08ae7309fc190ea4748 100644 (file)
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@@ -18,7 +18,7 @@ static const char * const verify_tag_usage[] = {
                NULL
 };
 
-static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
+static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
 {
        struct signature_check sigc;
        int len;
@@ -29,19 +29,19 @@ static int run_gpg_verify(const char *buf, unsigned long size, int verbose)
        len = parse_signature(buf, size);
 
        if (size == len) {
-               if (verbose)
+               if (flags & GPG_VERIFY_VERBOSE)
                        write_in_full(1, buf, len);
                return error("no signature found");
        }
 
        ret = check_signature(buf, len, buf + len, size - len, &sigc);
-       print_signature_buffer(&sigc, verbose ? GPG_VERIFY_VERBOSE : 0);
+       print_signature_buffer(&sigc, flags);
 
        signature_check_clear(&sigc);
        return ret;
 }
 
-static int verify_tag(const char *name, int verbose)
+static int verify_tag(const char *name, unsigned flags)
 {
        enum object_type type;
        unsigned char sha1[20];
@@ -61,7 +61,7 @@ static int verify_tag(const char *name, int verbose)
        if (!buf)
                return error("%s: unable to read file.", name);
 
-       ret = run_gpg_verify(buf, size, verbose);
+       ret = run_gpg_verify(buf, size, flags);
 
        free(buf);
        return ret;
@@ -78,8 +78,10 @@ static int git_verify_tag_config(const char *var, const char *value, void *cb)
 int cmd_verify_tag(int argc, const char **argv, const char *prefix)
 {
        int i = 1, verbose = 0, had_error = 0;
+       unsigned flags = 0;
        const struct option verify_tag_options[] = {
                OPT__VERBOSE(&verbose, N_("print tag contents")),
+               OPT_BIT(0, "raw", &flags, N_("print raw gpg status output"), GPG_VERIFY_RAW),
                OPT_END()
        };
 
@@ -90,11 +92,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
        if (argc <= i)
                usage_with_options(verify_tag_usage, verify_tag_options);
 
+       if (verbose)
+               flags |= GPG_VERIFY_VERBOSE;
+
        /* sometimes the program was terminated because this signal
         * was received in the process of writing the gpg input: */
        signal(SIGPIPE, SIG_IGN);
        while (i < argc)
-               if (verify_tag(argv[i++], verbose))
+               if (verify_tag(argv[i++], flags))
                        had_error = 1;
        return had_error;
 }

diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh
index 632bc53440404fca768736fd57108e5c9737446e..4608e713438f93087d12664a17654c07be38c59f 100755 (executable)
--- a/t/t7030-verify-tag.sh
+++ b/t/t7030-verify-tag.sh
@@ -81,4 +81,35 @@ test_expect_success GPG 'detect fudged signature' '
        ! grep "Good signature from" actual1
 '
 
+test_expect_success GPG 'verify signatures with --raw' '
+       (
+               for tag in initial second merge fourth-signed sixth-signed seventh-signed
+               do
+                       git verify-tag --raw $tag 2>actual &&
+                       grep "GOODSIG" actual &&
+                       ! grep "BADSIG" actual &&
+                       echo $tag OK || exit 1
+               done
+       ) &&
+       (
+               for tag in fourth-unsigned fifth-unsigned sixth-unsigned
+               do
+                       test_must_fail git verify-tag --raw $tag 2>actual &&
+                       ! grep "GOODSIG" actual &&
+                       ! grep "BADSIG" actual &&
+                       echo $tag OK || exit 1
+               done
+       ) &&
+       (
+               for tag in eighth-signed-alt
+               do
+                       git verify-tag --raw $tag 2>actual &&
+                       grep "GOODSIG" actual &&
+                       ! grep "BADSIG" actual &&
+                       grep "TRUST_UNDEFINED" actual &&
+                       echo $tag OK || exit 1
+               done
+       )
+'
+
 test_done