git.ipfire.org Git - thirdparty/git.git/commit

author	Michał Górny <mgorny@gentoo.org>
	Sat, 20 Oct 2018 19:30:20 +0000 (21:30 +0200)
committer	Junio C Hamano <gitster@pobox.com>
	Mon, 22 Oct 2018 03:42:30 +0000 (12:42 +0900)
commit	da6cf1b3360eefdce3dbde7632eca57177327f37
tree	a1105c58db7deb0adc220b7cb9f050a35fa05361	tree \| snapshot
parent	cae598d9980661a978e2df4fb338518f7bf09572	commit \| diff

gpg-interface.c: detect and reject multiple signatures on commits

GnuPG supports creating signatures consisting of multiple signature
packets.  If such a signature is verified, it outputs all the status
messages for each signature separately.  However, git currently does not
account for such scenario and gets terribly confused over getting
multiple *SIG statuses.

For example, if a malicious party alters a signed commit and appends
a new untrusted signature, git is going to ignore the original bad
signature and report untrusted commit instead.  However, %GK and %GS
format strings may still expand to the data corresponding
to the original signature, potentially tricking the scripts into
trusting the malicious commit.

Given that the use of multiple signatures is quite rare, git does not
support creating them without jumping through a few hoops, and finally
supporting them properly would require extensive API improvement, it
seems reasonable to just reject them at the moment.

Signed-off-by: Michał Górny <mgorny@gentoo.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

gpg-interface.c		diff \| blob \| blame \| history
t/t7510-signed-commit.sh		diff \| blob \| blame \| history