gpg-interface.c: detect and reject multiple signatures on commits
GnuPG supports creating signatures consisting of multiple signature packets. If such a signature is verified, it outputs all the status messages for each signature separately. However, git currently does not account for such scenario and gets terribly confused over getting multiple *SIG statuses. For example, if a malicious party alters a signed commit and appends a new untrusted signature, git is going to ignore the original bad signature and report untrusted commit instead. However, %GK and %GS format strings may still expand to the data corresponding to the original signature, potentially tricking the scripts into trusting the malicious commit. Given that the use of multiple signatures is quite rare, git does not support creating them without jumping through a few hoops, and finally supporting them properly would require extensive API improvement, it seems reasonable to just reject them at the moment. Signed-off-by: Michał Górny <mgorny@gentoo.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Michał Górny
committed by
Junio C Hamano
Junio C Hamano
parent
cae598d998
commit
da6cf1b336
@ -234,4 +234,30 @@ test_expect_success GPG 'check config gpg.format values' '
|
||||
test_must_fail git commit -S --amend -m "fail"
|
||||
'
|
||||
|
||||
test_expect_success GPG 'detect fudged commit with double signature' '
|
||||
sed -e "/gpgsig/,/END PGP/d" forged1 >double-base &&
|
||||
sed -n -e "/gpgsig/,/END PGP/p" forged1 | \
|
||||
sed -e "s/^gpgsig//;s/^ //" | gpg --dearmor >double-sig1.sig &&
|
||||
gpg -o double-sig2.sig -u 29472784 --detach-sign double-base &&
|
||||
cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc &&
|
||||
sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/gpgsig /;2,\$s/^/ /" \
|
||||
double-combined.asc > double-gpgsig &&
|
||||
sed -e "/committer/r double-gpgsig" double-base >double-commit &&
|
||||
git hash-object -w -t commit double-commit >double-commit.commit &&
|
||||
test_must_fail git verify-commit $(cat double-commit.commit) &&
|
||||
git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual &&
|
||||
grep "BAD signature from" double-actual &&
|
||||
grep "Good signature from" double-actual
|
||||
'
|
||||
|
||||
test_expect_success GPG 'show double signature with custom format' '
|
||||
cat >expect <<-\EOF &&
|
||||
E
|
||||
|
||||
|
||||
EOF
|
||||
git log -1 --format="%G?%n%GK%n%GS" $(cat double-commit.commit) >actual &&
|
||||
test_cmp expect actual
|
||||
'
|
||||
|
||||
test_done
|
||||
|
||||
Reference in New Issue
Block a user