gpg-interface: prefer check_signature() for GPG verification
This commit refactors the use of verify_signed_buffer() outside of gpg-interface.c to use check_signature() instead. It also turns verify_signed_buffer() into a file-local function since it's now only invoked internally by check_signature(). There were previously two globally scoped functions used in different parts of Git to perform GPG signature verification: verify_signed_buffer() and check_signature(). Now only check_signature() is used. The verify_signed_buffer() function doesn't guard against duplicate signatures as described by Michał Górny [1]. Instead it only ensures a non-erroneous exit code from GPG and the presence of at least one GOODSIG status field. This stands in contrast with check_signature() that returns an error if more than one signature is encountered. The lower degree of verification makes the use of verify_signed_buffer() problematic if callers don't parse and validate the various parts of the GPG status message themselves. And processing these messages seems like a task that should be reserved to gpg-interface.c with the function check_signature(). Furthermore, the use of verify_signed_buffer() makes it difficult to introduce new functionality that relies on the content of the GPG status lines. Now all operations that does signature verification share a single entry point to gpg-interface.c. This makes it easier to propagate changed or additional functionality in GPG signature verification to all parts of Git, without having odd edge-cases that don't perform the same degree of verification. [1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html Signed-off-by: Hans Jerry Illikainen <hji@dyntopia.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Hans Jerry Illikainen
committed by
Junio C Hamano
Junio C Hamano
parent
f1e3df3169
commit
6794898198
@ -256,6 +256,55 @@ error:
|
||||
FREE_AND_NULL(sigc->key);
|
||||
}
|
||||
|
||||
static int verify_signed_buffer(const char *payload, size_t payload_size,
|
||||
const char *signature, size_t signature_size,
|
||||
struct strbuf *gpg_output,
|
||||
struct strbuf *gpg_status)
|
||||
{
|
||||
struct child_process gpg = CHILD_PROCESS_INIT;
|
||||
struct gpg_format *fmt;
|
||||
struct tempfile *temp;
|
||||
int ret;
|
||||
struct strbuf buf = STRBUF_INIT;
|
||||
|
||||
temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
|
||||
if (!temp)
|
||||
return error_errno(_("could not create temporary file"));
|
||||
if (write_in_full(temp->fd, signature, signature_size) < 0 ||
|
||||
close_tempfile_gently(temp) < 0) {
|
||||
error_errno(_("failed writing detached signature to '%s'"),
|
||||
temp->filename.buf);
|
||||
delete_tempfile(&temp);
|
||||
return -1;
|
||||
}
|
||||
|
||||
fmt = get_format_by_sig(signature);
|
||||
if (!fmt)
|
||||
BUG("bad signature '%s'", signature);
|
||||
|
||||
argv_array_push(&gpg.args, fmt->program);
|
||||
argv_array_pushv(&gpg.args, fmt->verify_args);
|
||||
argv_array_pushl(&gpg.args,
|
||||
"--status-fd=1",
|
||||
"--verify", temp->filename.buf, "-",
|
||||
NULL);
|
||||
|
||||
if (!gpg_status)
|
||||
gpg_status = &buf;
|
||||
|
||||
sigchain_push(SIGPIPE, SIG_IGN);
|
||||
ret = pipe_command(&gpg, payload, payload_size,
|
||||
gpg_status, 0, gpg_output, 0);
|
||||
sigchain_pop(SIGPIPE);
|
||||
|
||||
delete_tempfile(&temp);
|
||||
|
||||
ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
|
||||
strbuf_release(&buf); /* no matter it was used or not */
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int check_signature(const char *payload, size_t plen, const char *signature,
|
||||
size_t slen, struct signature_check *sigc)
|
||||
{
|
||||
@ -418,51 +467,3 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int verify_signed_buffer(const char *payload, size_t payload_size,
|
||||
const char *signature, size_t signature_size,
|
||||
struct strbuf *gpg_output, struct strbuf *gpg_status)
|
||||
{
|
||||
struct child_process gpg = CHILD_PROCESS_INIT;
|
||||
struct gpg_format *fmt;
|
||||
struct tempfile *temp;
|
||||
int ret;
|
||||
struct strbuf buf = STRBUF_INIT;
|
||||
|
||||
temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
|
||||
if (!temp)
|
||||
return error_errno(_("could not create temporary file"));
|
||||
if (write_in_full(temp->fd, signature, signature_size) < 0 ||
|
||||
close_tempfile_gently(temp) < 0) {
|
||||
error_errno(_("failed writing detached signature to '%s'"),
|
||||
temp->filename.buf);
|
||||
delete_tempfile(&temp);
|
||||
return -1;
|
||||
}
|
||||
|
||||
fmt = get_format_by_sig(signature);
|
||||
if (!fmt)
|
||||
BUG("bad signature '%s'", signature);
|
||||
|
||||
argv_array_push(&gpg.args, fmt->program);
|
||||
argv_array_pushv(&gpg.args, fmt->verify_args);
|
||||
argv_array_pushl(&gpg.args,
|
||||
"--status-fd=1",
|
||||
"--verify", temp->filename.buf, "-",
|
||||
NULL);
|
||||
|
||||
if (!gpg_status)
|
||||
gpg_status = &buf;
|
||||
|
||||
sigchain_push(SIGPIPE, SIG_IGN);
|
||||
ret = pipe_command(&gpg, payload, payload_size,
|
||||
gpg_status, 0, gpg_output, 0);
|
||||
sigchain_pop(SIGPIPE);
|
||||
|
||||
delete_tempfile(&temp);
|
||||
|
||||
ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
|
||||
strbuf_release(&buf); /* no matter it was used or not */
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user