]> git.ipfire.org Git - thirdparty/git.git/blame - gpg-interface.c
reftable: read reftable files
[thirdparty/git.git] / gpg-interface.c
CommitLineData
2f47eae2 1#include "cache.h"
9b27b492 2#include "commit.h"
b2141fc1 3#include "config.h"
2f47eae2
JH
4#include "run-command.h"
5#include "strbuf.h"
6#include "gpg-interface.h"
7#include "sigchain.h"
4322353b 8#include "tempfile.h"
2f47eae2
JH
9
10static char *configured_signing_key;
54887b46
HJI
11static enum signature_trust_level configured_min_trust_level = TRUST_UNDEFINED;
12
58af57e1
HS
13struct gpg_format {
14 const char *name;
15 const char *program;
16 const char **verify_args;
17 const char **sigs;
18};
19
20static const char *openpgp_verify_args[] = {
21 "--keyid-format=long",
22 NULL
23};
24static const char *openpgp_sigs[] = {
25 "-----BEGIN PGP SIGNATURE-----",
26 "-----BEGIN PGP MESSAGE-----",
27 NULL
28};
29
1e7adb97
HS
30static const char *x509_verify_args[] = {
31 NULL
32};
33static const char *x509_sigs[] = {
34 "-----BEGIN SIGNED MESSAGE-----",
35 NULL
36};
37
58af57e1
HS
38static struct gpg_format gpg_format[] = {
39 { .name = "openpgp", .program = "gpg",
40 .verify_args = openpgp_verify_args,
41 .sigs = openpgp_sigs
42 },
1e7adb97
HS
43 { .name = "x509", .program = "gpgsm",
44 .verify_args = x509_verify_args,
45 .sigs = x509_sigs
46 },
58af57e1
HS
47};
48
49static struct gpg_format *use_format = &gpg_format[0];
2f47eae2 50
58af57e1
HS
51static struct gpg_format *get_format_by_name(const char *str)
52{
53 int i;
54
55 for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
56 if (!strcmp(gpg_format[i].name, str))
57 return gpg_format + i;
58 return NULL;
59}
60
61static struct gpg_format *get_format_by_sig(const char *sig)
62{
63 int i, j;
64
65 for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
66 for (j = 0; gpg_format[i].sigs[j]; j++)
67 if (starts_with(sig, gpg_format[i].sigs[j]))
68 return gpg_format + i;
69 return NULL;
70}
d7c67668 71
01e57b5d
MG
72void signature_check_clear(struct signature_check *sigc)
73{
88ce3ef6
ÆAB
74 FREE_AND_NULL(sigc->payload);
75 FREE_AND_NULL(sigc->gpg_output);
76 FREE_AND_NULL(sigc->gpg_status);
77 FREE_AND_NULL(sigc->signer);
78 FREE_AND_NULL(sigc->key);
3daaaabe 79 FREE_AND_NULL(sigc->fingerprint);
4de9394d 80 FREE_AND_NULL(sigc->primary_key_fingerprint);
01e57b5d
MG
81}
82
da6cf1b3
MG
83/* An exclusive status -- only one of them can appear in output */
84#define GPG_STATUS_EXCLUSIVE (1<<0)
0b11a84e
MG
85/* The status includes key identifier */
86#define GPG_STATUS_KEYID (1<<1)
87/* The status includes user identifier */
88#define GPG_STATUS_UID (1<<2)
3daaaabe
MG
89/* The status includes key fingerprints */
90#define GPG_STATUS_FINGERPRINT (1<<3)
54887b46
HJI
91/* The status includes trust level */
92#define GPG_STATUS_TRUST_LEVEL (1<<4)
0b11a84e
MG
93
94/* Short-hand for standard exclusive *SIG status with keyid & UID */
95#define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID)
da6cf1b3 96
a50e7ca3
JH
97static struct {
98 char result;
99 const char *check;
da6cf1b3 100 unsigned int flags;
a50e7ca3 101} sigcheck_gpg_status[] = {
0b11a84e
MG
102 { 'G', "GOODSIG ", GPG_STATUS_STDSIG },
103 { 'B', "BADSIG ", GPG_STATUS_STDSIG },
0b11a84e
MG
104 { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID },
105 { 'X', "EXPSIG ", GPG_STATUS_STDSIG },
106 { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG },
107 { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG },
3daaaabe 108 { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT },
54887b46
HJI
109 { 0, "TRUST_", GPG_STATUS_TRUST_LEVEL },
110};
111
112static struct {
113 const char *key;
114 enum signature_trust_level value;
115} sigcheck_gpg_trust_level[] = {
116 { "UNDEFINED", TRUST_UNDEFINED },
117 { "NEVER", TRUST_NEVER },
118 { "MARGINAL", TRUST_MARGINAL },
119 { "FULLY", TRUST_FULLY },
120 { "ULTIMATE", TRUST_ULTIMATE },
a50e7ca3
JH
121};
122
392b862e
HJI
123static void replace_cstring(char **field, const char *line, const char *next)
124{
125 free(*field);
126
127 if (line && next)
128 *field = xmemdupz(line, next - line);
129 else
130 *field = NULL;
131}
132
54887b46
HJI
133static int parse_gpg_trust_level(const char *level,
134 enum signature_trust_level *res)
135{
136 size_t i;
137
138 for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_trust_level); i++) {
139 if (!strcmp(sigcheck_gpg_trust_level[i].key, level)) {
140 *res = sigcheck_gpg_trust_level[i].value;
141 return 0;
142 }
143 }
144 return 1;
145}
146
fbd0f166 147static void parse_gpg_output(struct signature_check *sigc)
a50e7ca3
JH
148{
149 const char *buf = sigc->gpg_status;
da6cf1b3 150 const char *line, *next;
4de9394d 151 int i, j;
da6cf1b3
MG
152 int seen_exclusive_status = 0;
153
154 /* Iterate over all lines */
155 for (line = buf; *line; line = strchrnul(line+1, '\n')) {
156 while (*line == '\n')
157 line++;
64c45dc7
SR
158 if (!*line)
159 break;
160
da6cf1b3
MG
161 /* Skip lines that don't start with GNUPG status */
162 if (!skip_prefix(line, "[GNUPG:] ", &line))
163 continue;
164
165 /* Iterate over all search strings */
166 for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) {
167 if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) {
54887b46
HJI
168 /*
169 * GOODSIG, BADSIG etc. can occur only once for
170 * each signature. Therefore, if we had more
171 * than one then we're dealing with multiple
172 * signatures. We don't support them
173 * currently, and they're rather hard to
174 * create, so something is likely fishy and we
175 * should reject them altogether.
176 */
da6cf1b3 177 if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) {
02561896 178 if (seen_exclusive_status++)
54887b46 179 goto error;
da6cf1b3
MG
180 }
181
3daaaabe
MG
182 if (sigcheck_gpg_status[i].result)
183 sigc->result = sigcheck_gpg_status[i].result;
0b11a84e
MG
184 /* Do we have key information? */
185 if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) {
da6cf1b3 186 next = strchrnul(line, ' ');
392b862e 187 replace_cstring(&sigc->key, line, next);
0b11a84e
MG
188 /* Do we have signer information? */
189 if (*next && (sigcheck_gpg_status[i].flags & GPG_STATUS_UID)) {
da6cf1b3
MG
190 line = next + 1;
191 next = strchrnul(line, '\n');
392b862e 192 replace_cstring(&sigc->signer, line, next);
da6cf1b3
MG
193 }
194 }
54887b46
HJI
195
196 /* Do we have trust level? */
197 if (sigcheck_gpg_status[i].flags & GPG_STATUS_TRUST_LEVEL) {
198 /*
199 * GPG v1 and v2 differs in how the
200 * TRUST_ lines are written. Some
201 * trust lines contain no additional
202 * space-separated information for v1.
203 */
204 size_t trust_size = strcspn(line, " \n");
205 char *trust = xmemdupz(line, trust_size);
206
207 if (parse_gpg_trust_level(trust, &sigc->trust_level)) {
208 free(trust);
209 goto error;
210 }
211 free(trust);
212 }
213
3daaaabe
MG
214 /* Do we have fingerprint? */
215 if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) {
67a6ea63
HJI
216 const char *limit;
217 char **field;
218
3daaaabe 219 next = strchrnul(line, ' ');
392b862e 220 replace_cstring(&sigc->fingerprint, line, next);
4de9394d 221
67a6ea63
HJI
222 /*
223 * Skip interim fields. The search is
224 * limited to the same line since only
225 * OpenPGP signatures has a field with
226 * the primary fingerprint.
227 */
228 limit = strchrnul(line, '\n');
4de9394d 229 for (j = 9; j > 0; j--) {
67a6ea63 230 if (!*next || limit <= next)
4de9394d
MG
231 break;
232 line = next + 1;
233 next = strchrnul(line, ' ');
234 }
235
67a6ea63
HJI
236 field = &sigc->primary_key_fingerprint;
237 if (!j) {
238 next = strchrnul(line, '\n');
239 replace_cstring(field, line, next);
240 } else {
241 replace_cstring(field, NULL, NULL);
242 }
3daaaabe 243 }
da6cf1b3
MG
244
245 break;
661a1806 246 }
a50e7ca3
JH
247 }
248 }
da6cf1b3
MG
249 return;
250
54887b46 251error:
da6cf1b3
MG
252 sigc->result = 'E';
253 /* Clear partial data to avoid confusion */
4de9394d 254 FREE_AND_NULL(sigc->primary_key_fingerprint);
3daaaabe 255 FREE_AND_NULL(sigc->fingerprint);
da6cf1b3
MG
256 FREE_AND_NULL(sigc->signer);
257 FREE_AND_NULL(sigc->key);
a50e7ca3
JH
258}
259
67948981
HJI
260static int verify_signed_buffer(const char *payload, size_t payload_size,
261 const char *signature, size_t signature_size,
262 struct strbuf *gpg_output,
263 struct strbuf *gpg_status)
264{
265 struct child_process gpg = CHILD_PROCESS_INIT;
266 struct gpg_format *fmt;
267 struct tempfile *temp;
268 int ret;
269 struct strbuf buf = STRBUF_INIT;
270
271 temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
272 if (!temp)
273 return error_errno(_("could not create temporary file"));
274 if (write_in_full(temp->fd, signature, signature_size) < 0 ||
275 close_tempfile_gently(temp) < 0) {
276 error_errno(_("failed writing detached signature to '%s'"),
277 temp->filename.buf);
278 delete_tempfile(&temp);
279 return -1;
280 }
281
282 fmt = get_format_by_sig(signature);
283 if (!fmt)
284 BUG("bad signature '%s'", signature);
285
ef8d7ac4
JK
286 strvec_push(&gpg.args, fmt->program);
287 strvec_pushv(&gpg.args, fmt->verify_args);
288 strvec_pushl(&gpg.args,
f6d8942b
JK
289 "--status-fd=1",
290 "--verify", temp->filename.buf, "-",
291 NULL);
67948981
HJI
292
293 if (!gpg_status)
294 gpg_status = &buf;
295
296 sigchain_push(SIGPIPE, SIG_IGN);
297 ret = pipe_command(&gpg, payload, payload_size,
298 gpg_status, 0, gpg_output, 0);
299 sigchain_pop(SIGPIPE);
300
301 delete_tempfile(&temp);
302
303 ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
304 strbuf_release(&buf); /* no matter it was used or not */
305
306 return ret;
307}
308
434060ec 309int check_signature(const char *payload, size_t plen, const char *signature,
a4cc18f2 310 size_t slen, struct signature_check *sigc)
311{
312 struct strbuf gpg_output = STRBUF_INIT;
313 struct strbuf gpg_status = STRBUF_INIT;
314 int status;
315
316 sigc->result = 'N';
54887b46 317 sigc->trust_level = -1;
a4cc18f2 318
319 status = verify_signed_buffer(payload, plen, signature, slen,
320 &gpg_output, &gpg_status);
321 if (status && !gpg_output.len)
322 goto out;
323 sigc->payload = xmemdupz(payload, plen);
324 sigc->gpg_output = strbuf_detach(&gpg_output, NULL);
325 sigc->gpg_status = strbuf_detach(&gpg_status, NULL);
326 parse_gpg_output(sigc);
54887b46
HJI
327 status |= sigc->result != 'G';
328 status |= sigc->trust_level < configured_min_trust_level;
a4cc18f2 329
330 out:
331 strbuf_release(&gpg_status);
332 strbuf_release(&gpg_output);
434060ec 333
4e5dc9ca 334 return !!status;
a4cc18f2 335}
336
ca194d50 337void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
338{
aeff29dd 339 const char *output = flags & GPG_VERIFY_RAW ?
340 sigc->gpg_status : sigc->gpg_output;
341
ca194d50 342 if (flags & GPG_VERIFY_VERBOSE && sigc->payload)
343 fputs(sigc->payload, stdout);
344
aeff29dd 345 if (output)
346 fputs(output, stderr);
ca194d50 347}
348
482c1191 349size_t parse_signed_buffer(const char *buf, size_t size)
d7c67668 350{
d7c67668 351 size_t len = 0;
8b44b2be
JK
352 size_t match = size;
353 while (len < size) {
354 const char *eol;
355
58af57e1 356 if (get_format_by_sig(buf + len))
8b44b2be
JK
357 match = len;
358
359 eol = memchr(buf + len, '\n', size - len);
d7c67668
JH
360 len += eol ? eol - (buf + len) + 1 : size - len;
361 }
8b44b2be 362 return match;
d7c67668
JH
363}
364
482c1191 365int parse_signature(const char *buf, size_t size, struct strbuf *payload, struct strbuf *signature)
366{
367 size_t match = parse_signed_buffer(buf, size);
368 if (match != size) {
369 strbuf_add(payload, buf, match);
9b27b492 370 remove_signature(payload);
482c1191 371 strbuf_add(signature, buf + match, size - match);
372 return 1;
373 }
374 return 0;
375}
376
2f47eae2
JH
377void set_signing_key(const char *key)
378{
379 free(configured_signing_key);
380 configured_signing_key = xstrdup(key);
381}
382
383int git_gpg_config(const char *var, const char *value, void *cb)
384{
58af57e1
HS
385 struct gpg_format *fmt = NULL;
386 char *fmtname = NULL;
54887b46
HJI
387 char *trust;
388 int ret;
58af57e1 389
2f47eae2 390 if (!strcmp(var, "user.signingkey")) {
1b0eeec3
JK
391 if (!value)
392 return config_error_nonbool(var);
0c5e70f0 393 set_signing_key(value);
1b0eeec3 394 return 0;
0c5e70f0 395 }
1b0eeec3 396
57a8dd75
HS
397 if (!strcmp(var, "gpg.format")) {
398 if (!value)
399 return config_error_nonbool(var);
58af57e1
HS
400 fmt = get_format_by_name(value);
401 if (!fmt)
57a8dd75
HS
402 return error("unsupported value for %s: %s",
403 var, value);
58af57e1
HS
404 use_format = fmt;
405 return 0;
57a8dd75
HS
406 }
407
54887b46
HJI
408 if (!strcmp(var, "gpg.mintrustlevel")) {
409 if (!value)
410 return config_error_nonbool(var);
411
412 trust = xstrdup_toupper(value);
413 ret = parse_gpg_trust_level(trust, &configured_min_trust_level);
414 free(trust);
415
416 if (ret)
417 return error("unsupported value for %s: %s", var,
418 value);
419 return 0;
420 }
421
b02f51b1 422 if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
58af57e1
HS
423 fmtname = "openpgp";
424
1e7adb97
HS
425 if (!strcmp(var, "gpg.x509.program"))
426 fmtname = "x509";
427
58af57e1
HS
428 if (fmtname) {
429 fmt = get_format_by_name(fmtname);
430 return git_config_string(&fmt->program, var, value);
2f47eae2 431 }
1b0eeec3 432
2f47eae2
JH
433 return 0;
434}
435
436const char *get_signing_key(void)
437{
438 if (configured_signing_key)
439 return configured_signing_key;
f9bc573f 440 return git_committer_info(IDENT_STRICT|IDENT_NO_DATE);
2f47eae2
JH
441}
442
2f47eae2
JH
443int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *signing_key)
444{
d3180279 445 struct child_process gpg = CHILD_PROCESS_INIT;
0581b546 446 int ret;
2f47eae2 447 size_t i, j, bottom;
efee9553 448 struct strbuf gpg_status = STRBUF_INIT;
2f47eae2 449
ef8d7ac4 450 strvec_pushl(&gpg.args,
f6d8942b
JK
451 use_format->program,
452 "--status-fd=2",
453 "-bsau", signing_key,
454 NULL);
2f47eae2 455
0581b546 456 bottom = signature->len;
2f47eae2
JH
457
458 /*
459 * When the username signingkey is bad, program could be terminated
460 * because gpg exits without reading and then write gets SIGPIPE.
461 */
462 sigchain_push(SIGPIPE, SIG_IGN);
0581b546 463 ret = pipe_command(&gpg, buffer->buf, buffer->len,
efee9553 464 signature, 1024, &gpg_status, 0);
2f47eae2
JH
465 sigchain_pop(SIGPIPE);
466
efee9553
MG
467 ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED ");
468 strbuf_release(&gpg_status);
469 if (ret)
2f47eae2
JH
470 return error(_("gpg failed to sign the data"));
471
472 /* Strip CR from the line endings, in case we are on Windows. */
473 for (i = j = bottom; i < signature->len; i++)
474 if (signature->buf[i] != '\r') {
475 if (i != j)
476 signature->buf[j] = signature->buf[i];
477 j++;
478 }
479 strbuf_setlen(signature, j);
480
481 return 0;
482}