<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/gpg-interface.h, branch v2.25.2</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.25.2</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.25.2'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2020-02-28T17:43:17Z</updated>
<entry>
<title>Revert "gpg-interface: prefer check_signature() for GPG verification"</title>
<updated>2020-02-28T17:43:17Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2020-02-28T17:43:17Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0106b1d4be166fd4f7bcf0b901d50940c9f539e2'/>
<id>urn:sha1:0106b1d4be166fd4f7bcf0b901d50940c9f539e2</id>
<content type='text'>
This reverts commit 72b006f4bfd30b7c5037c163efaf279ab65bea9c, which
breaks the end-user experience when merging a signed tag without
having the public key.  We should report "can't check because we
have no public key", but the code with this change claimed that
there was no signature.
</content>
</entry>
<entry>
<title>gpg-interface: prefer check_signature() for GPG verification</title>
<updated>2019-11-30T21:52:35Z</updated>
<author>
<name>Hans Jerry Illikainen</name>
<email>hji@dyntopia.com</email>
</author>
<published>2019-11-27T17:48:21Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=72b006f4bfd30b7c5037c163efaf279ab65bea9c'/>
<id>urn:sha1:72b006f4bfd30b7c5037c163efaf279ab65bea9c</id>
<content type='text'>
This commit refactors the use of verify_signed_buffer() outside of
gpg-interface.c to use check_signature() instead.  It also turns
verify_signed_buffer() into a file-local function since it's now only
invoked internally by check_signature().

There were previously two globally scoped functions used in different
parts of Git to perform GPG signature verification:
verify_signed_buffer() and check_signature().  Now only
check_signature() is used.

The verify_signed_buffer() function doesn't guard against duplicate
signatures as described by Michał Górny [1].  Instead it only ensures a
non-erroneous exit code from GPG and the presence of at least one
GOODSIG status field.  This stands in contrast with check_signature()
that returns an error if more than one signature is encountered.

The lower degree of verification makes the use of verify_signed_buffer()
problematic if callers don't parse and validate the various parts of the
GPG status message themselves.  And processing these messages seems like
a task that should be reserved to gpg-interface.c with the function
check_signature().

Furthermore, the use of verify_signed_buffer() makes it difficult to
introduce new functionality that relies on the content of the GPG status
lines.

Now all operations that does signature verification share a single entry
point to gpg-interface.c.  This makes it easier to propagate changed or
additional functionality in GPG signature verification to all parts of
Git, without having odd edge-cases that don't perform the same degree of
verification.

[1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html

Signed-off-by: Hans Jerry Illikainen &lt;hji@dyntopia.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface.c: obtain primary key fingerprint as well</title>
<updated>2018-10-22T23:00:43Z</updated>
<author>
<name>Michał Górny</name>
<email>mgorny@gentoo.org</email>
</author>
<published>2018-10-22T16:38:21Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4de9394dcb769394f490a0285015a1d26beb54d1'/>
<id>urn:sha1:4de9394dcb769394f490a0285015a1d26beb54d1</id>
<content type='text'>
Obtain the primary key fingerprint off VALIDSIG status message,
and expose it via %GP format.

Signed-off-by: Michał Górny &lt;mgorny@gentoo.org&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface.c: support getting key fingerprint via %GF format</title>
<updated>2018-10-22T23:00:09Z</updated>
<author>
<name>Michał Górny</name>
<email>mgorny@gentoo.org</email>
</author>
<published>2018-10-22T16:38:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3daaaabe7ed22c17bff04d19c711be427bd2e225'/>
<id>urn:sha1:3daaaabe7ed22c17bff04d19c711be427bd2e225</id>
<content type='text'>
Support processing VALIDSIG status that provides additional information
for valid signatures.  Use this information to propagate signing key
fingerprint and expose it via %GF pretty format.  This format can be
used to build safer key verification systems that verify the key via
complete fingerprint rather than short/long identifier provided by %GK.

Signed-off-by: Michał Górny &lt;mgorny@gentoo.org&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Add missing includes and forward declarations</title>
<updated>2018-08-15T18:52:09Z</updated>
<author>
<name>Elijah Newren</name>
<email>newren@gmail.com</email>
</author>
<published>2018-08-15T17:54:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=ef3ca95475ce467ae883cc8175ed40e6f7d27800'/>
<id>urn:sha1:ef3ca95475ce467ae883cc8175ed40e6f7d27800</id>
<content type='text'>
I looped over the toplevel header files, creating a temporary two-line C
program for each consisting of
  #include "git-compat-util.h"
  #include $HEADER
This patch is the result of manually fixing errors in compiling those
tiny programs.

Signed-off-by: Elijah Newren &lt;newren@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface: make parse_gpg_output static and remove from interface header</title>
<updated>2018-07-11T17:05:22Z</updated>
<author>
<name>Henning Schild</name>
<email>henning.schild@siemens.com</email>
</author>
<published>2018-07-11T08:38:25Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=fbd0f16610362fda5d2093a590a80d693f610594'/>
<id>urn:sha1:fbd0f16610362fda5d2093a590a80d693f610594</id>
<content type='text'>
Turn parse_gpg_output into a static function, the only outside user was
migrated in an earlier commit.

Signed-off-by: Henning Schild &lt;henning.schild@siemens.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface: use size_t for signature buffer size</title>
<updated>2018-04-16T05:15:03Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-04-13T21:18:32Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e6fa6cde5bec648f1b8fd7e3f9e5939c5093985a'/>
<id>urn:sha1:e6fa6cde5bec648f1b8fd7e3f9e5939c5093985a</id>
<content type='text'>
Even though our object sizes (from which these buffers would
come) are typically "unsigned long", this is something we'd
like to eventually fix (since it's only 32-bits even on
64-bit Windows). It makes more sense to use size_t when
taking an in-memory buffer.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Ben Toews &lt;mastahyeti@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface: modernize function declarations</title>
<updated>2018-04-16T05:15:03Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-04-13T21:18:31Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f80bee27e3c3fc9085427945f97a2f7756500ea9'/>
<id>urn:sha1:f80bee27e3c3fc9085427945f97a2f7756500ea9</id>
<content type='text'>
Let's drop "extern" from our declarations, which brings us
in line with our modern style guidelines. While we're
here, let's wrap some of the overly long lines, and move
docstrings for public functions to their declarations, since
they document the interface.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Ben Toews &lt;mastahyeti@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface, tag: add GPG_VERIFY_OMIT_STATUS flag</title>
<updated>2017-01-18T00:10:22Z</updated>
<author>
<name>Lukas Puehringer</name>
<email>luk.puehringer@gmail.com</email>
</author>
<published>2017-01-17T23:37:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=94240b918f70560393516aa8f98edb877d582c69'/>
<id>urn:sha1:94240b918f70560393516aa8f98edb877d582c69</id>
<content type='text'>
Functions that print git object information may require that the
gpg-interface functions be silent. Add GPG_VERIFY_OMIT_STATUS flag and
prevent print_signature_buffer from being called if flag is set.

Signed-off-by: Lukas Puehringer &lt;luk.puehringer@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>verify-commit: add option to print raw gpg status information</title>
<updated>2015-06-22T21:20:47Z</updated>
<author>
<name>brian m. carlson</name>
<email>sandals@crustytoothpaste.net</email>
</author>
<published>2015-06-21T23:14:42Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=aeff29dd4dab01b497b2a2cf73e982e846a5fe4c'/>
<id>urn:sha1:aeff29dd4dab01b497b2a2cf73e982e846a5fe4c</id>
<content type='text'>
verify-commit by default displays human-readable output on standard
error.  However, it can also be useful to get access to the raw gpg
status information, which is machine-readable, allowing automated
implementation of signing policy.  Add a --raw option to make
verify-commit produce the gpg status information on standard error
instead of the human-readable format.

Signed-off-by: brian m. carlson &lt;sandals@crustytoothpaste.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
