]>
Commit | Line | Data |
---|---|---|
f265f2d6 FS |
1 | #!/bin/sh |
2 | ||
3 | test_description='signed tag tests' | |
4 | GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main | |
5 | export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME | |
6 | ||
7 | . ./test-lib.sh | |
8 | . "$TEST_DIRECTORY/lib-gpg.sh" | |
9 | ||
10 | test_expect_success GPGSSH 'create signed tags ssh' ' | |
11 | test_when_finished "test_unconfig commit.gpgsign" && | |
12 | test_config gpg.format ssh && | |
13 | test_config user.signingkey "${GPGSSH_KEY_PRIMARY}" && | |
14 | ||
15 | echo 1 >file && git add file && | |
16 | test_tick && git commit -m initial && | |
17 | git tag -s -m initial initial && | |
18 | git branch side && | |
19 | ||
20 | echo 2 >file && test_tick && git commit -a -m second && | |
21 | git tag -s -m second second && | |
22 | ||
23 | git checkout side && | |
24 | echo 3 >elif && git add elif && | |
25 | test_tick && git commit -m "third on side" && | |
26 | ||
27 | git checkout main && | |
28 | test_tick && git merge -S side && | |
29 | git tag -s -m merge merge && | |
30 | ||
31 | echo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" && | |
32 | git tag -a -m fourth-unsigned fourth-unsigned && | |
33 | ||
34 | test_tick && git commit --amend -S -m "fourth signed" && | |
35 | git tag -s -m fourth fourth-signed && | |
36 | ||
37 | echo 5 >file && test_tick && git commit -a -m "fifth" && | |
38 | git tag fifth-unsigned && | |
39 | ||
40 | git config commit.gpgsign true && | |
41 | echo 6 >file && test_tick && git commit -a -m "sixth" && | |
42 | git tag -a -m sixth sixth-unsigned && | |
43 | ||
44 | test_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ && | |
45 | git tag -m seventh -s seventh-signed && | |
46 | ||
47 | echo 8 >file && test_tick && git commit -a -m eighth && | |
48 | git tag -u"${GPGSSH_KEY_UNTRUSTED}" -m eighth eighth-signed-alt | |
49 | ' | |
50 | ||
dd3aa418 FS |
51 | test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed tags with keys having defined lifetimes' ' |
52 | test_when_finished "test_unconfig commit.gpgsign" && | |
53 | test_config gpg.format ssh && | |
54 | ||
55 | echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" && | |
56 | git tag -s -u "${GPGSSH_KEY_EXPIRED}" -m expired-signed expired-signed && | |
57 | ||
58 | echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" && | |
59 | git tag -s -u "${GPGSSH_KEY_NOTYETVALID}" -m notyetvalid-signed notyetvalid-signed && | |
60 | ||
61 | echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" && | |
62 | git tag -s -u "${GPGSSH_KEY_TIMEBOXEDVALID}" -m timeboxedvalid-signed timeboxedvalid-signed && | |
63 | ||
64 | echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" && | |
65 | git tag -s -u "${GPGSSH_KEY_TIMEBOXEDINVALID}" -m timeboxedinvalid-signed timeboxedinvalid-signed | |
66 | ' | |
67 | ||
f265f2d6 FS |
68 | test_expect_success GPGSSH 'verify and show ssh signatures' ' |
69 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
70 | ( | |
71 | for tag in initial second merge fourth-signed sixth-signed seventh-signed | |
72 | do | |
73 | git verify-tag $tag 2>actual && | |
74 | grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && | |
75 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
76 | echo $tag OK || exit 1 | |
77 | done | |
78 | ) && | |
79 | ( | |
80 | for tag in fourth-unsigned fifth-unsigned sixth-unsigned | |
81 | do | |
82 | test_must_fail git verify-tag $tag 2>actual && | |
83 | ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && | |
84 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
85 | echo $tag OK || exit 1 | |
86 | done | |
87 | ) && | |
88 | ( | |
89 | for tag in eighth-signed-alt | |
90 | do | |
91 | test_must_fail git verify-tag $tag 2>actual && | |
92 | grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual && | |
93 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
94 | grep "${GPGSSH_KEY_NOT_TRUSTED}" actual && | |
95 | echo $tag OK || exit 1 | |
96 | done | |
97 | ) | |
98 | ' | |
99 | ||
dd3aa418 FS |
100 | test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag exits failure on expired signature key' ' |
101 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
102 | test_must_fail git verify-tag expired-signed 2>actual && | |
103 | ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual | |
104 | ' | |
105 | ||
106 | test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag exits failure on not yet valid signature key' ' | |
107 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
108 | test_must_fail git verify-tag notyetvalid-signed 2>actual && | |
109 | ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual | |
110 | ' | |
111 | ||
112 | test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag succeeds with tag date and key validity matching' ' | |
113 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
114 | git verify-tag timeboxedvalid-signed 2>actual && | |
115 | grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && | |
116 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual | |
117 | ' | |
118 | ||
119 | test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag failes with tag date outside of key validity' ' | |
120 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
121 | test_must_fail git verify-tag timeboxedinvalid-signed 2>actual && | |
122 | ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual | |
123 | ' | |
124 | ||
f265f2d6 FS |
125 | test_expect_success GPGSSH 'detect fudged ssh signature' ' |
126 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
127 | git cat-file tag seventh-signed >raw && | |
128 | sed -e "/^tag / s/seventh/7th forged/" raw >forged1 && | |
129 | git hash-object -w -t tag forged1 >forged1.tag && | |
130 | test_must_fail git verify-tag $(cat forged1.tag) 2>actual1 && | |
131 | grep "${GPGSSH_BAD_SIGNATURE}" actual1 && | |
132 | ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual1 && | |
133 | ! grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual1 | |
134 | ' | |
135 | ||
136 | test_expect_success GPGSSH 'verify ssh signatures with --raw' ' | |
137 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
138 | ( | |
139 | for tag in initial second merge fourth-signed sixth-signed seventh-signed | |
140 | do | |
141 | git verify-tag --raw $tag 2>actual && | |
142 | grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && | |
143 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
144 | echo $tag OK || exit 1 | |
145 | done | |
146 | ) && | |
147 | ( | |
148 | for tag in fourth-unsigned fifth-unsigned sixth-unsigned | |
149 | do | |
150 | test_must_fail git verify-tag --raw $tag 2>actual && | |
151 | ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && | |
152 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
153 | echo $tag OK || exit 1 | |
154 | done | |
155 | ) && | |
156 | ( | |
157 | for tag in eighth-signed-alt | |
158 | do | |
159 | test_must_fail git verify-tag --raw $tag 2>actual && | |
160 | grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual && | |
161 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
162 | echo $tag OK || exit 1 | |
163 | done | |
164 | ) | |
165 | ' | |
166 | ||
167 | test_expect_success GPGSSH 'verify signatures with --raw ssh' ' | |
168 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
169 | git verify-tag --raw sixth-signed 2>actual && | |
170 | grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual && | |
171 | ! grep "${GPGSSH_BAD_SIGNATURE}" actual && | |
172 | echo sixth-signed OK | |
173 | ' | |
174 | ||
175 | test_expect_success GPGSSH 'verify multiple tags ssh' ' | |
176 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
177 | tags="seventh-signed sixth-signed" && | |
178 | for i in $tags | |
179 | do | |
180 | git verify-tag -v --raw $i || return 1 | |
181 | done >expect.stdout 2>expect.stderr.1 && | |
182 | grep "^${GPGSSH_GOOD_SIGNATURE_TRUSTED}" <expect.stderr.1 >expect.stderr && | |
183 | git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 && | |
184 | grep "^${GPGSSH_GOOD_SIGNATURE_TRUSTED}" <actual.stderr.1 >actual.stderr && | |
185 | test_cmp expect.stdout actual.stdout && | |
186 | test_cmp expect.stderr actual.stderr | |
187 | ' | |
188 | ||
189 | test_expect_success GPGSSH 'verifying tag with --format - ssh' ' | |
190 | test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" && | |
191 | cat >expect <<-\EOF && | |
192 | tagname : fourth-signed | |
193 | EOF | |
194 | git verify-tag --format="tagname : %(tag)" "fourth-signed" >actual && | |
195 | test_cmp expect actual | |
196 | ' | |
197 | ||
198 | test_expect_success GPGSSH 'verifying a forged tag with --format should fail silently - ssh' ' | |
199 | test_must_fail git verify-tag --format="tagname : %(tag)" $(cat forged1.tag) >actual-forged && | |
200 | test_must_be_empty actual-forged | |
201 | ' | |
202 | ||
203 | test_done |