[thirdparty/git.git] / t / t7510-signed-commit.sh

#!/bin/sh

test_description='signed commit tests'
. ./test-lib.sh
. "$TEST_DIRECTORY/lib-gpg.sh"

test_expect_success GPG 'create signed commits' '
	test_when_finished "test_unconfig commit.gpgsign" &&

	echo 1 >file && git add file &&
	test_tick && git commit -S -m initial &&
	git tag initial &&
	git branch side &&

	echo 2 >file && test_tick && git commit -a -S -m second &&
	git tag second &&

	git checkout side &&
	echo 3 >elif && git add elif &&
	test_tick && git commit -m "third on side" &&

	git checkout master &&
	test_tick && git merge -S side &&
	git tag merge &&

	echo 4 >file && test_tick && git commit -a -m "fourth unsigned" &&
	git tag fourth-unsigned &&

	test_tick && git commit --amend -S -m "fourth signed" &&
	git tag fourth-signed &&

	git config commit.gpgsign true &&
	echo 5 >file && test_tick && git commit -a -m "fifth signed" &&
	git tag fifth-signed &&

	git config commit.gpgsign false &&
	echo 6 >file && test_tick && git commit -a -m "sixth" &&
	git tag sixth-unsigned &&

	git config commit.gpgsign true &&
	echo 7 >file && test_tick && git commit -a -m "seventh" --no-gpg-sign &&
	git tag seventh-unsigned &&

	test_tick && git rebase -f HEAD^^ && git tag sixth-signed HEAD^ &&
	git tag seventh-signed &&

	echo 8 >file && test_tick && git commit -a -m eighth -SB7227189 &&
	git tag eighth-signed-alt
'

test_expect_success GPG 'verify and show signatures' '
	(
		for commit in initial second merge fourth-signed fifth-signed sixth-signed seventh-signed
		do
			git verify-commit $commit &&
			git show --pretty=short --show-signature $commit >actual &&
			grep "Good signature from" actual &&
			! grep "BAD signature from" actual &&
			echo $commit OK || exit 1
		done
	) &&
	(
		for commit in merge^2 fourth-unsigned sixth-unsigned seventh-unsigned
		do
			test_must_fail git verify-commit $commit &&
			git show --pretty=short --show-signature $commit >actual &&
			! grep "Good signature from" actual &&
			! grep "BAD signature from" actual &&
			echo $commit OK || exit 1
		done
	) &&
	(
		for commit in eighth-signed-alt
		do
			git show --pretty=short --show-signature $commit >actual &&
			grep "Good signature from" actual &&
			! grep "BAD signature from" actual &&
			grep "not certified" actual &&
			echo $commit OK || exit 1
		done
	)
'

test_expect_success GPG 'verify-commit exits success on untrusted signature' '
	git verify-commit eighth-signed-alt 2>actual &&
	grep "Good signature from" actual &&
	! grep "BAD signature from" actual &&
	grep "not certified" actual
'

test_expect_success GPG 'show signed commit with signature' '
	git show -s initial >commit &&
	git show -s --show-signature initial >show &&
	git verify-commit -v initial >verify.1 2>verify.2 &&
	git cat-file commit initial >cat &&
	grep -v -e "gpg: " -e "Warning: " show >show.commit &&
	grep -e "gpg: " -e "Warning: " show >show.gpg &&
	grep -v "^ " cat | grep -v "^gpgsig " >cat.commit &&
	test_cmp show.commit commit &&
	test_cmp show.gpg verify.2 &&
	test_cmp cat.commit verify.1
'

test_expect_success GPG 'detect fudged signature' '
	git cat-file commit seventh-signed >raw &&

	sed -e "s/seventh/7th forged/" raw >forged1 &&
	git hash-object -w -t commit forged1 >forged1.commit &&
	! git verify-commit $(cat forged1.commit) &&
	git show --pretty=short --show-signature $(cat forged1.commit) >actual1 &&
	grep "BAD signature from" actual1 &&
	! grep "Good signature from" actual1
'

test_expect_success GPG 'detect fudged signature with NUL' '
	git cat-file commit seventh-signed >raw &&
	cat raw >forged2 &&
	echo Qwik | tr "Q" "\000" >>forged2 &&
	git hash-object -w -t commit forged2 >forged2.commit &&
	! git verify-commit $(cat forged2.commit) &&
	git show --pretty=short --show-signature $(cat forged2.commit) >actual2 &&
	grep "BAD signature from" actual2 &&
	! grep "Good signature from" actual2
'

test_expect_success GPG 'amending already signed commit' '
	git checkout fourth-signed^0 &&
	git commit --amend -S --no-edit &&
	git verify-commit HEAD &&
	git show -s --show-signature HEAD >actual &&
	grep "Good signature from" actual &&
	! grep "BAD signature from" actual
'

test_expect_success GPG 'show good signature with custom format' '
	cat >expect <<-\EOF &&
	G
	13B6F51ECDDE430D
	C O Mitter <committer@example.com>
	EOF
	git log -1 --format="%G?%n%GK%n%GS" sixth-signed >actual &&
	test_cmp expect actual
'

test_expect_success GPG 'show bad signature with custom format' '
	cat >expect <<-\EOF &&
	B
	13B6F51ECDDE430D
	C O Mitter <committer@example.com>
	EOF
	git log -1 --format="%G?%n%GK%n%GS" $(cat forged1.commit) >actual &&
	test_cmp expect actual
'

test_expect_success GPG 'show unknown signature with custom format' '
	cat >expect <<-\EOF &&
	U
	61092E85B7227189
	Eris Discordia <discord@example.net>
	EOF
	git log -1 --format="%G?%n%GK%n%GS" eighth-signed-alt >actual &&
	test_cmp expect actual
'

test_expect_success GPG 'show lack of signature with custom format' '
	cat >expect <<-\EOF &&
	N


	EOF
	git log -1 --format="%G?%n%GK%n%GS" seventh-unsigned >actual &&
	test_cmp expect actual
'

test_done
Commit	Line	Data
247503f2 JH	1	#!/bin/sh
	2
	3	test_description='signed commit tests'
	4	. ./test-lib.sh
	5	. "$TEST_DIRECTORY/lib-gpg.sh"
	6
	7	test_expect_success GPG 'create signed commits' '
4b8d14b4 NV	8	test_when_finished "test_unconfig commit.gpgsign" &&
4b8d14b4 NV	9
247503f2 JH	10	echo 1 >file && git add file &&
	11	test_tick && git commit -S -m initial &&
	12	git tag initial &&
	13	git branch side &&
	14
	15	echo 2 >file && test_tick && git commit -a -S -m second &&
	16	git tag second &&
	17
	18	git checkout side &&
	19	echo 3 >elif && git add elif &&
	20	test_tick && git commit -m "third on side" &&
	21
	22	git checkout master &&
	23	test_tick && git merge -S side &&
	24	git tag merge &&
	25
	26	echo 4 >file && test_tick && git commit -a -m "fourth unsigned" &&
	27	git tag fourth-unsigned &&
	28
c871a1d1	29	test_tick && git commit --amend -S -m "fourth signed" &&
4b8d14b4 NV	30	git tag fourth-signed &&
	31
	32	git config commit.gpgsign true &&
	33	echo 5 >file && test_tick && git commit -a -m "fifth signed" &&
	34	git tag fifth-signed &&
	35
	36	git config commit.gpgsign false &&
	37	echo 6 >file && test_tick && git commit -a -m "sixth" &&
	38	git tag sixth-unsigned &&
	39
	40	git config commit.gpgsign true &&
	41	echo 7 >file && test_tick && git commit -a -m "seventh" --no-gpg-sign &&
	42	git tag seventh-unsigned &&
	43
	44	test_tick && git rebase -f HEAD^^ && git tag sixth-signed HEAD^ &&
99094a7a	45	git tag seventh-signed &&
4baf839f JK	46
	47	echo 8 >file && test_tick && git commit -a -m eighth -SB7227189 &&
	48	git tag eighth-signed-alt
247503f2 JH	49	'
247503f2 JH	50
8e92c2cf	51	test_expect_success GPG 'verify and show signatures' '
247503f2	52	(
526d56e0	53	for commit in initial second merge fourth-signed fifth-signed sixth-signed seventh-signed
247503f2	54	do
8e92c2cf	55	git verify-commit $commit &&
247503f2	56	git show --pretty=short --show-signature $commit >actual &&
7b1732c1 MG	57	grep "Good signature from" actual &&
	58	! grep "BAD signature from" actual &&
	59	echo $commit OK \|\| exit 1
247503f2 JH	60	done
	61	) &&
	62	(
4b8d14b4	63	for commit in merge^2 fourth-unsigned sixth-unsigned seventh-unsigned
247503f2	64	do
8e92c2cf	65	test_must_fail git verify-commit $commit &&
247503f2	66	git show --pretty=short --show-signature $commit >actual &&
7b1732c1 MG	67	! grep "Good signature from" actual &&
	68	! grep "BAD signature from" actual &&
	69	echo $commit OK \|\| exit 1
4baf839f JK	70	done
	71	) &&
	72	(
	73	for commit in eighth-signed-alt
	74	do
	75	git show --pretty=short --show-signature $commit >actual &&
	76	grep "Good signature from" actual &&
	77	! grep "BAD signature from" actual &&
	78	grep "not certified" actual &&
	79	echo $commit OK \|\| exit 1
247503f2 JH	80	done
	81	)
	82	'
	83
434060ec	84	test_expect_success GPG 'verify-commit exits success on untrusted signature' '
8e98e5f2	85	git verify-commit eighth-signed-alt 2>actual &&
	86	grep "Good signature from" actual &&
	87	! grep "BAD signature from" actual &&
	88	grep "not certified" actual
	89	'
	90
8e92c2cf MG	91	test_expect_success GPG 'show signed commit with signature' '
	92	git show -s initial >commit &&
	93	git show -s --show-signature initial >show &&
	94	git verify-commit -v initial >verify.1 2>verify.2 &&
	95	git cat-file commit initial >cat &&
3f88c1b5 KM	96	grep -v -e "gpg: " -e "Warning: " show >show.commit &&
3f88c1b5 KM	97	grep -e "gpg: " -e "Warning: " show >show.gpg &&
8e92c2cf MG	98	grep -v "^ " cat \| grep -v "^gpgsig " >cat.commit &&
	99	test_cmp show.commit commit &&
	100	test_cmp show.gpg verify.2 &&
	101	test_cmp cat.commit verify.1
	102	'
	103
247503f2	104	test_expect_success GPG 'detect fudged signature' '
526d56e0	105	git cat-file commit seventh-signed >raw &&
247503f2	106
4b8d14b4	107	sed -e "s/seventh/7th forged/" raw >forged1 &&
247503f2	108	git hash-object -w -t commit forged1 >forged1.commit &&
8e92c2cf	109	! git verify-commit $(cat forged1.commit) &&
247503f2 JH	110	git show --pretty=short --show-signature $(cat forged1.commit) >actual1 &&
	111	grep "BAD signature from" actual1 &&
	112	! grep "Good signature from" actual1
	113	'
	114
	115	test_expect_success GPG 'detect fudged signature with NUL' '
526d56e0	116	git cat-file commit seventh-signed >raw &&
247503f2 JH	117	cat raw >forged2 &&
	118	echo Qwik \| tr "Q" "\000" >>forged2 &&
	119	git hash-object -w -t commit forged2 >forged2.commit &&
8e92c2cf	120	! git verify-commit $(cat forged2.commit) &&
247503f2 JH	121	git show --pretty=short --show-signature $(cat forged2.commit) >actual2 &&
	122	grep "BAD signature from" actual2 &&
	123	! grep "Good signature from" actual2
	124	'
	125
c871a1d1 JH	126	test_expect_success GPG 'amending already signed commit' '
	127	git checkout fourth-signed^0 &&
	128	git commit --amend -S --no-edit &&
8e92c2cf	129	git verify-commit HEAD &&
c871a1d1 JH	130	git show -s --show-signature HEAD >actual &&
	131	grep "Good signature from" actual &&
	132	! grep "BAD signature from" actual
	133	'
	134
06ca0f45 JK	135	test_expect_success GPG 'show good signature with custom format' '
	136	cat >expect <<-\EOF &&
	137	G
	138	13B6F51ECDDE430D
	139	C O Mitter <committer@example.com>
	140	EOF
	141	git log -1 --format="%G?%n%GK%n%GS" sixth-signed >actual &&
	142	test_cmp expect actual
	143	'
	144
	145	test_expect_success GPG 'show bad signature with custom format' '
	146	cat >expect <<-\EOF &&
	147	B
	148	13B6F51ECDDE430D
	149	C O Mitter <committer@example.com>
	150	EOF
	151	git log -1 --format="%G?%n%GK%n%GS" $(cat forged1.commit) >actual &&
	152	test_cmp expect actual
	153	'
	154
	155	test_expect_success GPG 'show unknown signature with custom format' '
	156	cat >expect <<-\EOF &&
	157	U
	158	61092E85B7227189
	159	Eris Discordia <discord@example.net>
	160	EOF
	161	git log -1 --format="%G?%n%GK%n%GS" eighth-signed-alt >actual &&
	162	test_cmp expect actual
	163	'
	164
	165	test_expect_success GPG 'show lack of signature with custom format' '
	166	cat >expect <<-\EOF &&
	167	N
	168
	169
	170	EOF
	171	git log -1 --format="%G?%n%GK%n%GS" seventh-unsigned >actual &&
	172	test_cmp expect actual
	173	'
	174
247503f2	175	test_done