From: "Michał Górny" <mgorny@gentoo.org>
To: Duy Nguyen <pclouds@gmail.com>
Cc: Git Mailing List <git@vger.kernel.org>,
Junio C Hamano <gitster@pobox.com>
Subject: Re: [PATCH v4] gpg-interface.c: detect and reject multiple signatures on commits
Date: Sat, 03 Nov 2018 16:32:17 +0100 [thread overview]
Message-ID: <1541259137.1028.12.camel@gentoo.org> (raw)
In-Reply-To: <CACsJy8DKD3F3o74gTHW-WEL_hpB8x+oaWX8_SwN01Nmz3W9Z_w@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2561 bytes --]
On Sat, 2018-11-03 at 16:17 +0100, Duy Nguyen wrote:
> On Sat, Oct 20, 2018 at 9:31 PM Michał Górny <mgorny@gentoo.org> wrote:
> > +test_expect_success GPG 'detect fudged commit with double signature' '
> > + sed -e "/gpgsig/,/END PGP/d" forged1 >double-base &&
> > + sed -n -e "/gpgsig/,/END PGP/p" forged1 | \
> > + sed -e "s/^gpgsig//;s/^ //" | gpg --dearmor >double-sig1.sig &&
> > + gpg -o double-sig2.sig -u 29472784 --detach-sign double-base &&
> > + cat double-sig1.sig double-sig2.sig | gpg --enarmor >double-combined.asc &&
> > + sed -e "s/^\(-.*\)ARMORED FILE/\1SIGNATURE/;1s/^/gpgsig /;2,\$s/^/ /" \
> > + double-combined.asc > double-gpgsig &&
> > + sed -e "/committer/r double-gpgsig" double-base >double-commit &&
> > + git hash-object -w -t commit double-commit >double-commit.commit &&
> > + test_must_fail git verify-commit $(cat double-commit.commit) &&
> > + git show --pretty=short --show-signature $(cat double-commit.commit) >double-actual &&
> > + grep "BAD signature from" double-actual &&
> > + grep "Good signature from" double-actual
> > +'
>
> This test fails on 'master' today for me
>
> gpg: WARNING: multiple signatures detected. Only the first will be checked.
> gpg: Signature made Sat Nov 3 15:13:28 2018 UTC
> gpg: using DSA key 13B6F51ECDDE430D
> gpg: issuer "committer@example.com"
> gpg: BAD signature from "C O Mitter <committer@example.com>" [ultimate]
> gpg: BAD signature from "C O Mitter <committer@example.com>" [ultimate]
> not ok 16 - detect fudged commit with double signature
>
> Perhaps my gpg is too old?
>
> $ gpg --version
> gpg (GnuPG) 2.1.15
> libgcrypt 1.7.3
> Copyright (C) 2016 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: /home/pclouds/.gnupg
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
Perhaps this is indeed specific to this version of GnuPG. The tests
pass for me with both 1.4.21 and 2.2.10. We don't have 2.1* in Gentoo
anymore.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
next prev parent reply other threads:[~2018-11-03 15:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-20 19:30 [PATCH v4] gpg-interface.c: detect and reject multiple signatures on commits Michał Górny
2018-10-20 23:57 ` Junio C Hamano
2018-10-21 7:10 ` Michał Górny
2018-10-22 0:58 ` Junio C Hamano
2018-10-22 8:04 ` Michał Górny
2018-10-22 15:25 ` Michał Górny
2018-11-03 15:17 ` Duy Nguyen
2018-11-03 15:32 ` Michał Górny [this message]
2018-11-03 15:36 ` Duy Nguyen
2018-11-03 15:58 ` Michał Górny
2018-11-03 15:42 ` Duy Nguyen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1541259137.1028.12.camel@gentoo.org \
--to=mgorny@gentoo.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=pclouds@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).