[PATCH v2 0/5] Enable GPG in the Windows part of the CI/PR builds

["Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com>]

While debugging the breakages introduced by hi/gpg-prefer-check-signature, I
noticed that the GPG prereq was not available on Windows, even if Git for
Windows' SDK comes with a fully functional GPG2.

The fix was easy, but finding out what was going on was not, so for good
measure, the fix is accompanied by a patch that will hopefully make future
investigations into GPG-related problems much, much easier.

Changes since v1:

 * The prereqs are now lazy ones.
   
   
 * A new patch was introduced to make tracing via -x work even with those
   inter-dependent prereqs.
   
   
 * The test-signing's stdout is redirected to /dev/null because it is
   unreadable and unhelpful binary gibberish, anyway. (This imitates Peff's
   patch.)

Johannes Schindelin (5):
  tests(gpg): allow the gpg-agent to start on Windows
  t/lib-gpg.sh: stop pretending to be a stand-alone script
  tests: turn GPG, GPGSM and RFC1991 into lazy prereqs
  tests: do not let lazy prereqs inside `test_expect_*` turn off tracing
  tests: increase the verbosity of the GPG-related prereqs

 t/lib-gpg.sh     | 110 ++++++++++++++++++++++++++---------------------
 t/t0000-basic.sh |  13 ++++++
 t/test-lib.sh    |   6 ++-
 3 files changed, 77 insertions(+), 52 deletions(-)


base-commit: 30e9940356dc67959877f4b2417da33ebdefbb79
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-728%2Fdscho%2Fci-windows-gpg-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-728/dscho/ci-windows-gpg-v2
Pull-Request: https://github.com/git/git/pull/728

Range-diff vs v1:

 1:  287a21f1033 = 1:  287a21f1033 tests(gpg): allow the gpg-agent to start on Windows
 -:  ----------- > 2:  c1811d54190 t/lib-gpg.sh: stop pretending to be a stand-alone script
 2:  dd26cb05a37 ! 3:  85457a7b618 tests(gpg): increase verbosity to allow debugging
     @@ -1,21 +1,36 @@
      Author: Johannes Schindelin <johannes.schindelin@gmx.de>
      
     -    tests(gpg): increase verbosity to allow debugging
     +    tests: turn GPG, GPGSM and RFC1991 into lazy prereqs
      
     -    Especially when debugging a test failure that can only be reproduced in
     -    the CI build (e.g. when the developer has no access to a macOS machine
     -    other than running the tests on a macOS build agent), output should not
     -    be suppressed.
     +    The code to set those prereqs is executed completely outside of any
     +    `test_eval_` block. As a consequence, its output had to be suppressed so
     +    that it does not clutter the output of a regular test script run.
      
     -    In the instance of `hi/gpg-prefer-check-signature`, where one
     -    GPG-related test failed for no apparent reason, the entire output of
     -    `gpg` and `gpgsm` was suppressed, even in verbose mode, leaving
     -    interested readers no clue what was going wrong.
     +    Unfortunately, the output *stays* suppressed even when the `--verbose`
     +    option is in effect.
      
     -    Let's fix this by redirecting the output not to `/dev/null`, but to the
     -    file descriptors that may, or may not, be redirected via
     -    `--verbose-log`. For good measure, also turn on tracing if the user
     -    asked for it, and prefix it with a helpful info message.
     +    This hid important output when debugging why the GPG prereq was not
     +    enabled in the Windows part of our CI builds.
     +
     +    In preparation for fixing that, let's move all of this code into lazy
     +    prereqs.
     +
     +    The only slightly tricky part is the global environment variable
     +    `GNUPGHOME`. Originally, it was configured only when we verified that
     +    there is a `gpg` in the `PATH` that we can use. This is now no longer
     +    possible, as lazy prereqs are evaluated in a subshell that changes the
     +    working directory to a temporary one. Therefore, we simply _always_ set
     +    that environment variable: it does not hurt anything because it does not
     +    indicate the presence of a working GPG.
     +
     +    Side note: it was quite tempting to use a hack that is possible because
     +    we do not validate what is passed to `test_lazy_prereq` (and it is
     +    therefore possible to "break out" of the lazy_prereq subshell:
     +
     +            test_lazy_prereq GPG '...) && GNUPGHOME=... && (...'
     +
     +    However, this is rather tricksy hobbitses code, and the current patch is
     +    _much_ easier to understand.
      
          Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
      
     @@ -23,67 +38,128 @@
       --- a/t/lib-gpg.sh
       +++ b/t/lib-gpg.sh
      @@
     +-gpg_version=$(gpg --version 2>&1)
     +-if test $? != 127
     +-then
     ++# We always set GNUPGHOME, even if no usable GPG was found, as
     ++#
     ++# - It does not hurt, and
     ++#
     ++# - we cannot set global environment variables in lazy prereqs because they are
     ++#   executed in an eval'ed subshell that changes the working directory to a
     ++#   temporary one.
     ++
     ++GNUPGHOME="$PWD/gpghome"
     ++export GNUPGHOME
     ++
     ++test_lazy_prereq GPG '
     ++	gpg_version=$(gpg --version 2>&1)
     ++	test $? != 127 || exit 1
     ++
     + 	# As said here: http://www.gnupg.org/documentation/faqs.html#q6.19
     +-	# the gpg version 1.0.6 didn't parse trust packets correctly, so for
     ++	# the gpg version 1.0.6 did not parse trust packets correctly, so for
     + 	# that version, creation of signed tags using the generated key fails.
     + 	case "$gpg_version" in
     +-	'gpg (GnuPG) 1.0.6'*)
     ++	"gpg (GnuPG) 1.0.6"*)
       		say "Your version of gpg (1.0.6) is too buggy for testing"
     ++		exit 1
       		;;
       	*)
     -+		say_color info >&4 "Trying to set up GPG"
     -+		want_trace && set -x
       		# Available key info:
     - 		# * Type DSA and Elgamal, size 2048 bits, no expiration date,
     - 		#   name and email: C O Mitter <committer@example.com>
      @@
     - 		chmod 0700 ./gpghome &&
     - 		GNUPGHOME="$PWD/gpghome" &&
     - 		export GNUPGHOME &&
     --		(gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) &&
     --		gpg --homedir "${GNUPGHOME}" 2>/dev/null --import \
     --			"$TEST_DIRECTORY"/lib-gpg/keyring.gpg &&
     --		gpg --homedir "${GNUPGHOME}" 2>/dev/null --import-ownertrust \
     --			"$TEST_DIRECTORY"/lib-gpg/ownertrust &&
     --		gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null 2>&1 \
     + 		# To export ownertrust:
     + 		#	gpg --homedir /tmp/gpghome --export-ownertrust \
     + 		#		> lib-gpg/ownertrust
     +-		mkdir ./gpghome &&
     +-		chmod 0700 ./gpghome &&
     +-		GNUPGHOME="$PWD/gpghome" &&
     +-		export GNUPGHOME &&
     ++		mkdir "$GNUPGHOME" &&
     ++		chmod 0700 "$GNUPGHOME" &&
     + 		(gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) &&
     + 		gpg --homedir "${GNUPGHOME}" 2>/dev/null --import \
     + 			"$TEST_DIRECTORY"/lib-gpg/keyring.gpg &&
     + 		gpg --homedir "${GNUPGHOME}" 2>/dev/null --import-ownertrust \
     + 			"$TEST_DIRECTORY"/lib-gpg/ownertrust &&
     + 		gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null 2>&1 \
      -			--sign -u committer@example.com &&
     -+		(gpgconf --kill gpg-agent >&3 2>&4 || : ) &&
     -+		gpg --homedir "${GNUPGHOME}" --import \
     -+			"$TEST_DIRECTORY"/lib-gpg/keyring.gpg >&3 2>&4 &&
     -+		gpg --homedir "${GNUPGHOME}" --import-ownertrust \
     -+			"$TEST_DIRECTORY"/lib-gpg/ownertrust >&3 2>&4 &&
     -+		gpg --homedir "${GNUPGHOME}" </dev/null \
     -+			--sign -u committer@example.com >&3 2>&4 &&
     - 		test_set_prereq GPG &&
     - 		# Available key info:
     - 		# * see t/lib-gpg/gpgsm-gen-key.in
     -@@
     - 		#	gpgsm --homedir /tmp/gpghome/ \
     - 		#		-o t/lib-gpg/gpgsm_cert.p12 \
     - 		#		--export-secret-key-p12 "committer@example.com"
     +-		test_set_prereq GPG &&
     +-		# Available key info:
     +-		# * see t/lib-gpg/gpgsm-gen-key.in
     +-		# To generate new certificate:
     +-		#  * no passphrase
     +-		#	gpgsm --homedir /tmp/gpghome/ \
     +-		#		-o /tmp/gpgsm.crt.user \
     +-		#		--generate-key \
     +-		#		--batch t/lib-gpg/gpgsm-gen-key.in
     +-		# To import certificate:
     +-		#	gpgsm --homedir /tmp/gpghome/ \
     +-		#		--import /tmp/gpgsm.crt.user
     +-		# To export into a .p12 we can later import:
     +-		#	gpgsm --homedir /tmp/gpghome/ \
     +-		#		-o t/lib-gpg/gpgsm_cert.p12 \
     +-		#		--export-secret-key-p12 "committer@example.com"
      -		echo | gpgsm --homedir "${GNUPGHOME}" 2>/dev/null \
     -+		echo | gpgsm --homedir "${GNUPGHOME}" >&3 2>&4 \
     - 			--passphrase-fd 0 --pinentry-mode loopback \
     - 			--import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 &&
     - 
     +-			--passphrase-fd 0 --pinentry-mode loopback \
     +-			--import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 &&
     +-
      -		gpgsm --homedir "${GNUPGHOME}" 2>/dev/null -K |
     -+		gpgsm --homedir "${GNUPGHOME}" -K 2>&4 |
     - 		grep fingerprint: |
     - 		cut -d" " -f4 |
     - 		tr -d '\n' >"${GNUPGHOME}/trustlist.txt" &&
     - 
     - 		echo " S relax" >>"${GNUPGHOME}/trustlist.txt" &&
     +-		grep fingerprint: |
     +-		cut -d" " -f4 |
     +-		tr -d '\n' >"${GNUPGHOME}/trustlist.txt" &&
     +-
     +-		echo " S relax" >>"${GNUPGHOME}/trustlist.txt" &&
      -		echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \
      -			-u committer@example.com -o /dev/null --sign - 2>&1 &&
     -+		echo hello | gpgsm --homedir "${GNUPGHOME}" >&3 2>&4 \
     -+			-u committer@example.com -o /dev/null --sign - &&
     - 		test_set_prereq GPGSM
     +-		test_set_prereq GPGSM
     ++			--sign -u committer@example.com
       		;;
       	esac
     - fi
     +-fi
     ++'
     ++
     ++test_lazy_prereq GPGSM '
     ++	test_have_prereq GPG &&
     ++	# Available key info:
     ++	# * see t/lib-gpg/gpgsm-gen-key.in
     ++	# To generate new certificate:
     ++	#  * no passphrase
     ++	#	gpgsm --homedir /tmp/gpghome/ \
     ++	#		-o /tmp/gpgsm.crt.user \
     ++	#		--generate-key \
     ++	#		--batch t/lib-gpg/gpgsm-gen-key.in
     ++	# To import certificate:
     ++	#	gpgsm --homedir /tmp/gpghome/ \
     ++	#		--import /tmp/gpgsm.crt.user
     ++	# To export into a .p12 we can later import:
     ++	#	gpgsm --homedir /tmp/gpghome/ \
     ++	#		-o t/lib-gpg/gpgsm_cert.p12 \
     ++	#		--export-secret-key-p12 "committer@example.com"
     ++       echo | gpgsm --homedir "${GNUPGHOME}" 2>/dev/null \
     ++	       --passphrase-fd 0 --pinentry-mode loopback \
     ++	       --import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 &&
     ++
     ++       gpgsm --homedir "${GNUPGHOME}" 2>/dev/null -K |
     ++       grep fingerprint: |
     ++       cut -d" " -f4 |
     ++	tr -d "\\n" >"${GNUPGHOME}/trustlist.txt" &&
     ++
     ++       echo " S relax" >>"${GNUPGHOME}/trustlist.txt" &&
     ++       echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \
     ++	       -u committer@example.com -o /dev/null --sign - 2>&1
     ++'
       
     - if test_have_prereq GPG &&
     +-if test_have_prereq GPG &&
      -    echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null 2>&1
     -+    echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >&3 2>&4
     - then
     - 	test_set_prereq RFC1991
     - fi
     -+want_trace && set +x
     +-then
     +-	test_set_prereq RFC1991
     +-fi
     ++test_lazy_prereq RFC1991 '
     ++	test_have_prereq GPG &&
     ++	echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null 2>&1
     ++'
       
       sanitize_pgp() {
       	perl -ne '
 -:  ----------- > 4:  0767c8b77c8 tests: do not let lazy prereqs inside `test_expect_*` turn off tracing
 -:  ----------- > 5:  5e89b512513 tests: increase the verbosity of the GPG-related prereqs

-- 
gitgitgadget