Web lists-archives.com

[PATCH v2 0/9] gpg-interface: Multiple signing tools




Updated to incorporate feedback from v1. In addition to changes to the patches
from v1, I added the missing `t7004: fix mistaken tag name` patch, which had
caused some confusion (sorry about that). Thanks for everyone's feedback on v1.

### Interdiff (v1..v2):

diff --git a/Documentation/config.txt b/Documentation/config.txt
index 7906123a59..691b309306 100644
--- a/Documentation/config.txt
+++ b/Documentation/config.txt
@@ -1728,7 +1728,7 @@ grep.fallbackToNoIndex::
 	is executed outside of a git repository.  Defaults to false.

 signingtool.<name>.program::
-	The name of the program on `$PATH` to execute when making or
+	The name or path of the program to execute when making or
 	verifying a signature. This program will be used for making
 	signatures if `<name>` is configured as `signingtool.default`.
 	This program will be used for verifying signatures whose PEM
@@ -1750,7 +1750,9 @@ signingtool.<name>.pemtype::
 	SIGNATURE`. When verifying a signature with this PEM block type
 	the program specified in `signingtool.<name>.program` will be
 	used. By default `signingtool.gpg.pemtype` contains `PGP
-	SIGNATURE` and `PGP MESSAGE`.
+	SIGNATURE` and `PGP MESSAGE`. Multiple PEM types may be specified
+	for a single signing tool by including the `pemtype` directive
+	multiple times within the `signingtool` configuration.

 signingtool.default::
 	The `<name>` of the signing tool to use when creating
diff --git a/gpg-interface.c b/gpg-interface.c
index 0e2a82e8e5..5d4ae2a7ed 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -22,7 +22,8 @@ static struct signing_tool *alloc_signing_tool(void)
  * Our default tool config is too complicated to specify as a constant
  * initializer, so we lazily create it as needed.
  */
-static void init_signing_tool_defaults(void) {
+static void init_signing_tool_defaults(void)
+{
 	struct signing_tool *tool;

 	if (signing_tool_config)
@@ -38,7 +39,8 @@ static void init_signing_tool_defaults(void) {
 	signing_tool_config = tool;
 }

-static struct signing_tool *get_signing_tool(const char *name) {
+static struct signing_tool *get_signing_tool(const char *name)
+{
 	struct signing_tool *tool;

 	init_signing_tool_defaults();
@@ -216,11 +218,12 @@ int git_gpg_config(const char *var, const char *value, void *cb)
 	}

 	if (!strcmp(var, "gpg.program")) {
-		struct signing_tool *tool = get_or_create_signing_tool("gpg");
+		struct signing_tool *tool;

 		if (!value)
 			return config_error_nonbool(var);

+		tool = get_or_create_signing_tool("gpg");
 		free(tool->program);
 		tool->program = xstrdup(value);
 		return 0;
@@ -331,7 +334,7 @@ int verify_signed_buffer(const char *payload, size_t payload_size,
 			/*
 			 * The caller didn't tell us which tool to use, and we
 			 * didn't recognize the format. Historically we've fed
-			 * these cases to blindly to gpg, so let's continue to
+			 * these cases blindly to gpg, so let's continue to
 			 * do so.
 			 */
 			tool = get_signing_tool("gpg");
diff --git a/gpg-interface.h b/gpg-interface.h
index cee0dfe401..8e22e67b6f 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -42,7 +42,7 @@ void signature_check_clear(struct signature_check *sigc);
  * pointed at the signing_tool that corresponds to the found
  * signature type.
  */
-size_t parse_signature(const char *buf, unsigned long size,
+size_t parse_signature(const char *buf, size_t size,
 		       const struct signing_tool **out_tool);

 void parse_gpg_output(struct signature_check *);
@@ -61,7 +61,7 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature,
  * gpg_output, when set, receives the diagnostic output from GPG.
  * gpg_status, when set, receives the status output from GPG.
  *
- * Typically the "tool" argument should come from a previous call to
+ * Typically, the "tool" argument should come from a previous call to
  * parse_signature(). If it's NULL, then verify_signed_buffer() will
  * try to choose the appropriate tool based on the contents of the
  * "signature" buffer.
diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index 08d23b0cf5..b9ba47057f 100755
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -59,20 +59,24 @@ sanitize_pgp() {

 create_fake_signer () {
 	write_script fake-signer <<-\EOF
-	if [ "$1 $2" = "--status-fd=2 -bsau" ]; then
+	if test "$1 $2" = "--status-fd=2 -bsau"
+	then
 		echo >&2 "[GNUPG:] BEGIN_SIGNING"
 		echo >&2 "[GNUPG:] SIG_CREATED D 1 SHA256 0 1513792449 4A7FF9E2330D22B19213A4E9E9C423BE17EFEE70"
-		# avoid "-" in echo arguments
-		printf "%s\n" \
-		  "-----BEGIN FAKE SIGNER SIGNATURE-----" \
-		  "fake-signature" \
-		  "-----END FAKE SIGNER SIGNATURE-----"
+		cat <<-\END
+		-----BEGIN FAKE SIGNER SIGNATURE-----
+		fake-signature
+		-----END FAKE SIGNER SIGNATURE-----
+		END
 		exit 0

-	elif [ "$1 $2 $3" = "--status-fd=1 --keyid-format=long --verify" ]; then
-		echo "[GNUPG:] NEWSIG"
-		echo "[GNUPG:] GOODSIG 4A7FF9E2330D22B19213A4E9E9C423BE17EFEE70 /CN=Some User/EMail=some@user.email"
-		echo "[GNUPG:] TRUST_FULLY 0 shell"
+	elif test "$1 $2 $3" = "--status-fd=1 --keyid-format=long --verify"
+	then
+		cat <<-\END
+		[GNUPG:] NEWSIG
+		[GNUPG:] GOODSIG 4A7FF9E2330D22B19213A4E9E9C423BE17EFEE70 /CN=Some User/EMail=some@user.email
+		[GNUPG:] TRUST_FULLY 0 shell
+		END
 		echo >&2 "Good signature from /CN=Some User/EMail=some@user.email"
 		exit 0

diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
index 848a823302..fb41f98ca6 100755
--- a/t/t7510-signed-commit.sh
+++ b/t/t7510-signed-commit.sh
@@ -65,13 +65,15 @@ test_expect_success GPG 'create signed commits' '
 	grep "PGP SIGNATURE" actual &&

 	git config gpg.program "$TRASH_DIRECTORY/fake-signer" &&
-	echo 12 >file && test_tick && git commit -a -m twelfth && test_unconfig gpg.program &&
+	echo 12 >file && test_tick && git commit -a -m twelfth &&
+	test_unconfig gpg.program &&
 	git tag twelfth-fake-signed &&
 	git cat-file -p twelfth-fake-signed >actual &&
 	grep "FAKE SIGNER SIGNATURE" actual &&

 	git config signingtool.default fake &&
-	echo 13 >file && test_tick && git commit -a -m thirteenth && test_unconfig signingtool.default &&
+	echo 13 >file && test_tick && git commit -a -m thirteenth &&
+	test_unconfig signingtool.default &&
 	git tag thirteenth-fake-signed &&
 	git cat-file -p thirteenth-fake-signed >actual &&
 	grep "FAKE SIGNER SIGNATURE" actual

### Patches

Ben Toews (1):
  gpg-interface: handle alternative signature types

Jeff King (8):
  t7004: fix mistaken tag name
  gpg-interface: handle bool user.signingkey
  gpg-interface: modernize function declarations
  gpg-interface: use size_t for signature buffer size
  gpg-interface: fix const-correctness of "eol" pointer
  gpg-interface: extract gpg line matching helper
  gpg-interface: find the last gpg signature line
  gpg-interface: prepare for parsing arbitrary PEM blocks

 Documentation/config.txt |  42 +++++++---
 builtin/fmt-merge-msg.c  |   6 +-
 builtin/receive-pack.c   |   7 +-
 builtin/tag.c            |   2 +-
 commit.c                 |   2 +-
 gpg-interface.c          | 201 +++++++++++++++++++++++++++++++++++++++--------
 gpg-interface.h          |  67 +++++++++++++---
 log-tree.c               |   7 +-
 ref-filter.c             |   2 +-
 t/lib-gpg.sh             |  30 +++++++
 t/t7004-tag.sh           |  13 ++-
 t/t7510-signed-commit.sh |  34 +++++++-
 tag.c                    |   2 +-
 13 files changed, 348 insertions(+), 67 deletions(-)

--
2.15.1 (Apple Git-101)