[PATCH v6 0/6] Move PGP verification out of verify-tag

[PATCH v6 0/6] Move PGP verification out of verify-tag

[santiago]

From: Santiago Torres <santiago@nyu.edu>

This is a follow up of [1], [2], [3], [4], and [5]. patches 1/6, 2/6 and 3/6
are the same as the corresponding commits in pu.

v6: 
 * As Junio suggested, updated 4/6, to include the name argument and the
   ternary operator to provide more descriptive error messages. I propagated
   these changes to 5/6 and 6/6 as well. I'm unsure about the 80-column
   on 4/6, the ternary operator is rather long.
 * Updated and reviewed the commit messages based on Eric and Junio's
   feedback

v5:
Added helpful feedback by Eric

 * Reordering of the patches, to avoid temporal inclusion of a regression
 * Fix typos here and there.
 * Review commit messages, as some weren't representative of what the patches
   were doing anymore.
 * Updated t7030 to include Peff's suggestion, and added a helped-by line here
   as it was mostly Peff's code.
 * Updated the error-handling/printing issues that were introduced when.
   libifying the verify_tag function.

v4:

Thanks Eric, Jeff, and Hannes for the feedback.

 * I relocated the sigchain_push call so it comes after the error on
   gpg-interface (thanks Hannnes for catching this).
 * I updated the unit test to match the discussion on [3]. Now it generates
   the expected output of the tag on the fly for comparison. (This is just
   copy and paste from [3], but I verified that it works by breaking the
   while)
 * I split moving the code and renaming the variables into two patches so
   these are easier to review.
 * I used an adapter on builtin/tag.c instead of redefining all the fn*
   declarations everywhere. This introduces an issue with the way git tag -v
   resolves refnames though. I added a new commit to restore the previous
   behavior of git-tag. I'm not sure if I should've split this into two commits
   though.

v3:
Thanks Eric, Jeff, for the feedback.

 * I separated the patch in multiple sub-patches.
 * I compared the behavior of previous git tag -v and git verify-tag 
   invocations to make sure the behavior is the same
 * I dropped the multi-line comment, as suggested.
 * I fixed the issue with the missing brackets in the while (this is 
   now detected by the test).

v2:

 * I moved the pgp-verification code to tag.c 
 * I added extra arguments so git tag -v and git verify-tag both work
   with the same function
 * Relocated the SIGPIPE handling code in verify-tag to gpg-interface

v1:
 
The verify tag function is just a thin wrapper around the verify-tag
command. We can avoid one fork call by doing the verification inside
the tag builtin instead.


This applies on v2.8.0. 
Thanks!
-Santiago

[1] http://thread.gmane.org/gmane.comp.version-control.git/287649
[2] http://thread.gmane.org/gmane.comp.version-control.git/289836
[3] http://thread.gmane.org/gmane.comp.version-control.git/290608
[4] http://thread.gmane.org/gmane.comp.version-control.git/290731
[5] http://thread.gmane.org/gmane.comp.version-control.git/290790

Santiago Torres (6):
  builtin/verify-tag.c: ignore SIGPIPE in gpg-interface
  t7030: test verifying multiple tags
  verify-tag: change variable name for readability
  verify-tag: add sha1 argument to verify_tag()
  verify-tag: move verification code to tag.c
  tag -v: verfy directly rather than exec-ing verify-tag

 builtin/tag.c         |  8 +------
 builtin/verify-tag.c  | 64 ++++++++-------------------------------------------
 gpg-interface.c       |  2 ++
 t/t7030-verify-tag.sh | 13 +++++++++++
 tag.c                 | 49 +++++++++++++++++++++++++++++++++++++++
 tag.h                 |  3 ++-
 6 files changed, 77 insertions(+), 62 deletions(-)

-- 
2.8.0

[PATCH v6 1/6] builtin/verify-tag.c: ignore SIGPIPE in gpg-interface

[santiago]

From: Santiago Torres <santiago@nyu.edu>

The verify_signed_buffer() function may trigger a SIGPIPE when the
GPG child process terminates early (due to a bad keyid, for example)
and Git tries to write to it afterwards.  Previously, ignoring
SIGPIPE was done in builtin/verify-tag.c to avoid this issue.

However, any other caller who wants to call verify_signed_buffer()
would have to do the same.

Use sigchain_push(SIGPIPE, SIG_IGN) in verify_signed_buffer(),
pretty much like in sign_buffer(), so that any caller is not
required to perform this task.

This will avoid possible mistakes by further developers using
verify_signed_buffer().

Signed-off-by: Santiago Torres <santiago@nyu.edu>
Reviewed-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin/verify-tag.c | 3 ---
 gpg-interface.c      | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
index 00663f6..77f070a 100644
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@@ -95,9 +95,6 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
 	if (verbose)
 		flags |= GPG_VERIFY_VERBOSE;
 
-	/* sometimes the program was terminated because this signal
-	 * was received in the process of writing the gpg input: */
-	signal(SIGPIPE, SIG_IGN);
 	while (i < argc)
 		if (verify_tag(argv[i++], flags))
 			had_error = 1;
diff --git a/gpg-interface.c b/gpg-interface.c
index 3dc2fe3..2259938 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -237,6 +237,7 @@ int verify_signed_buffer(const char *payload, size_t payload_size,
 		return error(_("could not run gpg."));
 	}
 
+	sigchain_push(SIGPIPE, SIG_IGN);
 	write_in_full(gpg.in, payload, payload_size);
 	close(gpg.in);
 
@@ -250,6 +251,7 @@ int verify_signed_buffer(const char *payload, size_t payload_size,
 	close(gpg.out);
 
 	ret = finish_command(&gpg);
+	sigchain_pop(SIGPIPE);
 
 	unlink_or_warn(path);
 
-- 
2.8.0

[PATCH v6 2/6] t7030: test verifying multiple tags

[santiago]

From: Santiago Torres <santiago@nyu.edu>

The verify-tag command supports multiple tag names to verify, but
existing tests only test for invocation with a single tag.

Add a test invoking it with multiple tags.

Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Santiago Torres <santiago@nyu.edu>
Reviewed-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 t/t7030-verify-tag.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/t/t7030-verify-tag.sh b/t/t7030-verify-tag.sh
index 4608e71..07079a4 100755
--- a/t/t7030-verify-tag.sh
+++ b/t/t7030-verify-tag.sh
@@ -112,4 +112,17 @@ test_expect_success GPG 'verify signatures with --raw' '
 	)
 '
 
+test_expect_success GPG 'verify multiple tags' '
+	tags="fourth-signed sixth-signed seventh-signed" &&
+	for i in $tags
+	do
+		git verify-tag -v --raw $i || return 1
+	done >expect.stdout 2>expect.stderr.1 &&
+	grep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&
+	git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
+	grep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&
+	test_cmp expect.stdout actual.stdout &&
+	test_cmp expect.stderr actual.stderr
+'
+
 test_done
-- 
2.8.0

[PATCH v6 3/6] verify-tag: change variable name for readability

[santiago]

From: Santiago Torres <santiago@nyu.edu>

The run_gpg_verify() function has two variables, size and len.

This may come off as confusing when reading the code.  Clarify which
one pertains to the length of the tag headers by renaming len to
payload_length.

Signed-off-by: Santiago Torres <santiago@nyu.edu>
Reviewed-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin/verify-tag.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
index 77f070a..010353c 100644
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@@ -21,20 +21,21 @@ static const char * const verify_tag_usage[] = {
 static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
 {
 	struct signature_check sigc;
-	int len;
+	int payload_size;
 	int ret;
 
 	memset(&sigc, 0, sizeof(sigc));
 
-	len = parse_signature(buf, size);
+	payload_size = parse_signature(buf, size);
 
-	if (size == len) {
+	if (size == payload_size) {
 		if (flags & GPG_VERIFY_VERBOSE)
-			write_in_full(1, buf, len);
+			write_in_full(1, buf, payload_size);
 		return error("no signature found");
 	}
 
-	ret = check_signature(buf, len, buf + len, size - len, &sigc);
+	ret = check_signature(buf, payload_size, buf + payload_size,
+				size - payload_size, &sigc);
 	print_signature_buffer(&sigc, flags);
 
 	signature_check_clear(&sigc);
-- 
2.8.0

Re: [PATCH v6 3/6] verify-tag: change variable name for readability

[Eric Sunshine]

On Sun, Apr 17, 2016 at 6:26 PM,  <santiago@nyu.edu> wrote:
> The run_gpg_verify() function has two variables, size and len.
>
> This may come off as confusing when reading the code.  Clarify which
> one pertains to the length of the tag headers by renaming len to
> payload_length.

The commit message talks about 'payload_length', but the code names it
'payload_size'.

> Signed-off-by: Santiago Torres <santiago@nyu.edu>
> ---
>  builtin/verify-tag.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
> index 77f070a..010353c 100644
> --- a/builtin/verify-tag.c
> +++ b/builtin/verify-tag.c
> @@ -21,20 +21,21 @@ static const char * const verify_tag_usage[] = {
>  static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
>  {
>         struct signature_check sigc;
> -       int len;
> +       int payload_size;
>         int ret;
>
>         memset(&sigc, 0, sizeof(sigc));
>
> -       len = parse_signature(buf, size);
> +       payload_size = parse_signature(buf, size);
>
> -       if (size == len) {
> +       if (size == payload_size) {
>                 if (flags & GPG_VERIFY_VERBOSE)
> -                       write_in_full(1, buf, len);
> +                       write_in_full(1, buf, payload_size);
>                 return error("no signature found");
>         }
>
> -       ret = check_signature(buf, len, buf + len, size - len, &sigc);
> +       ret = check_signature(buf, payload_size, buf + payload_size,
> +                               size - payload_size, &sigc);
>         print_signature_buffer(&sigc, flags);
>
>         signature_check_clear(&sigc);
> --

Re: [PATCH v6 3/6] verify-tag: change variable name for readability

[Jeff King]

On Sun, Apr 17, 2016 at 06:26:58PM -0400, santiago@nyu.edu wrote:

> diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
> index 77f070a..010353c 100644
> --- a/builtin/verify-tag.c
> +++ b/builtin/verify-tag.c
> @@ -21,20 +21,21 @@ static const char * const verify_tag_usage[] = {
>  static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
>  {
>  	struct signature_check sigc;
> -	int len;
> +	int payload_size;
>  	int ret;
>  
>  	memset(&sigc, 0, sizeof(sigc));
>  
> -	len = parse_signature(buf, size);
> +	payload_size = parse_signature(buf, size);

While we're here, can we make payload_size a "size_t"? That is the
return type of parse_signature.

> -	if (size == len) {
> +	if (size == payload_size) {

That would make this a comparison between "unsigned long" and "size_t",
but I doubt it would be the first such place in git. And it works out in
practice, because "unsigned long" is generally at least as large as
"size_t", and if our buffer is larger than "size_t" can store, we'd have
failed long before, when trying to allocate the buffer.

We could make "size" also a "size_t", but I suspect then we'd just be
bumping the mismatch out to its caller.

-Peff

[PATCH v6 4/6] verify-tag: add sha1 argument to verify_tag()

[santiago]

From: Santiago Torres <santiago@nyu.edu>

The current interface of verify_tag() resolves reference names to SHA1,
which might be redundant as future callers may resolve the refname to
SHA1 beforehand.

Add a SHA1 parameter to use instead of the name parameter. We also
replace the name argument to report_name and use it for error reporting
only.

Helped-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Santiago Torres <santiago@nyu.edu>
---
 builtin/verify-tag.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
index 010353c..1d1c5c2 100644
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@@ -42,25 +42,24 @@ static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
 	return ret;
 }
 
-static int verify_tag(const char *name, unsigned flags)
+static int verify_tag(const unsigned char *sha1, const char *report_name,
+			unsigned flags)
 {
 	enum object_type type;
-	unsigned char sha1[20];
 	char *buf;
 	unsigned long size;
 	int ret;
 
-	if (get_sha1(name, sha1))
-		return error("tag '%s' not found.", name);
-
 	type = sha1_object_info(sha1, NULL);
 	if (type != OBJ_TAG)
 		return error("%s: cannot verify a non-tag object of type %s.",
-				name, typename(type));
+				report_name ? report_name : find_unique_abbrev(sha1, DEFAULT_ABBREV),
+				typename(type));
 
 	buf = read_sha1_file(sha1, &type, &size);
 	if (!buf)
-		return error("%s: unable to read file.", name);
+		return error("%s: unable to read file.",
+				report_name ? report_name : find_unique_abbrev(sha1, DEFAULT_ABBREV));
 
 	ret = run_gpg_verify(buf, size, flags);
 
@@ -80,6 +79,8 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
 {
 	int i = 1, verbose = 0, had_error = 0;
 	unsigned flags = 0;
+	unsigned char sha1[20];
+	const char *name;
 	const struct option verify_tag_options[] = {
 		OPT__VERBOSE(&verbose, N_("print tag contents")),
 		OPT_BIT(0, "raw", &flags, N_("print raw gpg status output"), GPG_VERIFY_RAW),
@@ -96,8 +97,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
 	if (verbose)
 		flags |= GPG_VERIFY_VERBOSE;
 
-	while (i < argc)
-		if (verify_tag(argv[i++], flags))
+	while (i < argc) {
+		name = argv[i++];
+		if (get_sha1(name, sha1)) {
+			error("tag '%s' not found.", name);
 			had_error = 1;
+		}
+		else if (verify_tag(sha1, name, flags))
+			had_error = 1;
+	}
 	return had_error;
 }
-- 
2.8.0

Re: [PATCH v6 4/6] verify-tag: add sha1 argument to verify_tag()

[Eric Sunshine]

On Sun, Apr 17, 2016 at 6:26 PM,  <santiago@nyu.edu> wrote:
> verify-tag: add sha1 argument to verify_tag()

Mentioned previously[1]: This subject is talking about low level
details of the change rather than giving a high-level overview. A
suggested replacement[1] would be:

    verify-tag: prepare verify_tag() for libification

> The current interface of verify_tag() resolves reference names to SHA1,
> which might be redundant as future callers may resolve the refname to
> SHA1 beforehand.

There is no mention here that the plan is to libify verify_tag() and
"might be redundant" is a somewhat weak way to argue in favor of this
change. The commit messages proposed in the previous review[1] was
more explicit:

    verify_tag() accepts a tag name which it resolves to a SHA1
    before verification, however, the plan is to make this
    functionality public and it is possible that future callers will
    already have a SHA1 in hand. Since it would be wasteful for them
    to supply a tag name only to have it resolved again, change
    verify_tag() to accept a tag SHA1 rather than a name.

> Add a SHA1 parameter to use instead of the name parameter. We also
> replace the name argument to report_name and use it for error reporting
> only.

The patch itself looks okay, though see a few nits below (which may
not be worth a re-roll).

[1]: http://article.gmane.org/gmane.comp.version-control.git/290829

> Signed-off-by: Santiago Torres <santiago@nyu.edu>
> ---
> diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
> @@ -80,6 +79,8 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
>  {
>         int i = 1, verbose = 0, had_error = 0;
>         unsigned flags = 0;
> +       unsigned char sha1[20];
> +       const char *name;

Nit: These could have been declared in the scope of the while-loop
(below) since you've added braces to it.

> @@ -96,8 +97,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
> -       while (i < argc)
> -               if (verify_tag(argv[i++], flags))
> +       while (i < argc) {
> +               name = argv[i++];
> +               if (get_sha1(name, sha1)) {
> +                       error("tag '%s' not found.", name);
>                         had_error = 1;

These lines could be combined:

    had_error = !!error("tag '%s' not found.", name);

which would allow you to drop the braces.

> +               }
> +               else if (verify_tag(sha1, name, flags))
> +                       had_error = 1;

Style: cuddle '}' and else:

    } else

> +       }
>         return had_error;
>  }

Re: [PATCH v6 4/6] verify-tag: add sha1 argument to verify_tag()

[Junio C Hamano]

Eric Sunshine <sunshine@sunshineco.com> writes:

> On Sun, Apr 17, 2016 at 6:26 PM,  <santiago@nyu.edu> wrote:
>> verify-tag: add sha1 argument to verify_tag()
>
> Mentioned previously[1]: This subject is talking about low level
> details of the change rather than giving a high-level overview. A
> suggested replacement[1] would be:
>
>     verify-tag: prepare verify_tag() for libification
>
>> The current interface of verify_tag() resolves reference names to SHA1,
>> which might be redundant as future callers may resolve the refname to
>> SHA1 beforehand.
>
> There is no mention here that the plan is to libify verify_tag() and
> "might be redundant" is a somewhat weak way to argue in favor of this
> change. The commit messages proposed in the previous review[1] was
> more explicit:
>
>     verify_tag() accepts a tag name which it resolves to a SHA1
>     before verification, however, the plan is to make this
>     functionality public and it is possible that future callers will
>     already have a SHA1 in hand. Since it would be wasteful for them
>     to supply a tag name only to have it resolved again, change
>     verify_tag() to accept a tag SHA1 rather than a name.

Phrased that way, it is not "might be redundant" that this change is
fixing, and "It is possible ... will already have" is still weak.  I
think the real reason for this change is that some future callers
may only have object name without the end-user supplied textual
input, and the current interface that takes strings is cumbersome
for them to use--they have to use sha1_to_hex() only so that the
callee can do get_sha1() on it.

I guess with 's/already/only/', your version is good.

By the way, it can also be read in a negative way: "Some current
callers may let this function resolve tagname, but they no longer
can rely on it, as we force them to resolve before we allow them to
call this function."

>> Add a SHA1 parameter to use instead of the name parameter. We also
>> replace the name argument to report_name and use it for error reporting
>> only.

I know I am to blame, but perhaps "reported_name" or
"name_to_report"?  "report_name" sounds as if it is a boolean that
tells the function to report the name of the tag (as opposed to stay
silent).

I agree all the clean-up points in the code part of your review.

Thanks.

> The patch itself looks okay, though see a few nits below (which may
> not be worth a re-roll).
>
> [1]: http://article.gmane.org/gmane.comp.version-control.git/290829
>
>> Signed-off-by: Santiago Torres <santiago@nyu.edu>
>> ---
>> diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
>> @@ -80,6 +79,8 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
>>  {
>>         int i = 1, verbose = 0, had_error = 0;
>>         unsigned flags = 0;
>> +       unsigned char sha1[20];
>> +       const char *name;
>
> Nit: These could have been declared in the scope of the while-loop
> (below) since you've added braces to it.
>
>> @@ -96,8 +97,14 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
>> -       while (i < argc)
>> -               if (verify_tag(argv[i++], flags))
>> +       while (i < argc) {
>> +               name = argv[i++];
>> +               if (get_sha1(name, sha1)) {
>> +                       error("tag '%s' not found.", name);
>>                         had_error = 1;
>
> These lines could be combined:
>
>     had_error = !!error("tag '%s' not found.", name);
>
> which would allow you to drop the braces.
>
>> +               }
>> +               else if (verify_tag(sha1, name, flags))
>> +                       had_error = 1;
>
> Style: cuddle '}' and else:
>
>     } else
>
>> +       }
>>         return had_error;
>>  }

[PATCH v6 5/6] verify-tag: move verification code to tag.c

[santiago]

From: Santiago Torres <santiago@nyu.edu>

The PGP verification routine for tags could be accessed by other modules
that require to do so.

Publish the verify_tag function in tag.c and rename it to gpg_verify_tag
so it does not conflict with builtin/mktag's static function.

Helped-by: Junio C Hamano <gitster@pobox.com>
Signed-off-by: Santiago Torres <santiago@nyu.edu>
---
 builtin/verify-tag.c | 51 +--------------------------------------------------
 tag.c                | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 tag.h                |  3 ++-
 3 files changed, 52 insertions(+), 51 deletions(-)

diff --git a/builtin/verify-tag.c b/builtin/verify-tag.c
index 1d1c5c2..4e3b643 100644
--- a/builtin/verify-tag.c
+++ b/builtin/verify-tag.c
@@ -18,55 +18,6 @@ static const char * const verify_tag_usage[] = {
 		NULL
 };
 
-static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
-{
-	struct signature_check sigc;
-	int payload_size;
-	int ret;
-
-	memset(&sigc, 0, sizeof(sigc));
-
-	payload_size = parse_signature(buf, size);
-
-	if (size == payload_size) {
-		if (flags & GPG_VERIFY_VERBOSE)
-			write_in_full(1, buf, payload_size);
-		return error("no signature found");
-	}
-
-	ret = check_signature(buf, payload_size, buf + payload_size,
-				size - payload_size, &sigc);
-	print_signature_buffer(&sigc, flags);
-
-	signature_check_clear(&sigc);
-	return ret;
-}
-
-static int verify_tag(const unsigned char *sha1, const char *report_name,
-			unsigned flags)
-{
-	enum object_type type;
-	char *buf;
-	unsigned long size;
-	int ret;
-
-	type = sha1_object_info(sha1, NULL);
-	if (type != OBJ_TAG)
-		return error("%s: cannot verify a non-tag object of type %s.",
-				report_name ? report_name : find_unique_abbrev(sha1, DEFAULT_ABBREV),
-				typename(type));
-
-	buf = read_sha1_file(sha1, &type, &size);
-	if (!buf)
-		return error("%s: unable to read file.",
-				report_name ? report_name : find_unique_abbrev(sha1, DEFAULT_ABBREV));
-
-	ret = run_gpg_verify(buf, size, flags);
-
-	free(buf);
-	return ret;
-}
-
 static int git_verify_tag_config(const char *var, const char *value, void *cb)
 {
 	int status = git_gpg_config(var, value, cb);
@@ -103,7 +54,7 @@ int cmd_verify_tag(int argc, const char **argv, const char *prefix)
 			error("tag '%s' not found.", name);
 			had_error = 1;
 		}
-		else if (verify_tag(sha1, name, flags))
+		else if (gpg_verify_tag(sha1, name, flags))
 			had_error = 1;
 	}
 	return had_error;
diff --git a/tag.c b/tag.c
index d72f742..e7f22c6 100644
--- a/tag.c
+++ b/tag.c
@@ -6,6 +6,55 @@
 
 const char *tag_type = "tag";
 
+static int run_gpg_verify(const char *buf, unsigned long size, unsigned flags)
+{
+	struct signature_check sigc;
+	int payload_size;
+	int ret;
+
+	memset(&sigc, 0, sizeof(sigc));
+
+	payload_size = parse_signature(buf, size);
+
+	if (size == payload_size) {
+		if (flags & GPG_VERIFY_VERBOSE)
+			write_in_full(1, buf, payload_size);
+		return error("no signature found");
+	}
+
+	ret = check_signature(buf, payload_size, buf + payload_size,
+				size - payload_size, &sigc);
+	print_signature_buffer(&sigc, flags);
+
+	signature_check_clear(&sigc);
+	return ret;
+}
+
+int gpg_verify_tag(const unsigned char *sha1, const char *report_name,
+			unsigned flags)
+{
+	enum object_type type;
+	char *buf;
+	unsigned long size;
+	int ret;
+
+	type = sha1_object_info(sha1, NULL);
+	if (type != OBJ_TAG)
+		return error("%s: cannot verify a non-tag object of type %s.",
+				report_name ? report_name : find_unique_abbrev(sha1, DEFAULT_ABBREV),
+				typename(type));
+
+	buf = read_sha1_file(sha1, &type, &size);
+	if (!buf)
+		return error("%s: unable to read file.",
+				report_name ? report_name : find_unique_abbrev(sha1, DEFAULT_ABBREV));
+
+	ret = run_gpg_verify(buf, size, flags);
+
+	free(buf);
+	return ret;
+}
+
 struct object *deref_tag(struct object *o, const char *warn, int warnlen)
 {
 	while (o && o->type == OBJ_TAG)
diff --git a/tag.h b/tag.h
index f4580ae..1a8d123 100644
--- a/tag.h
+++ b/tag.h
@@ -17,5 +17,6 @@ extern int parse_tag_buffer(struct tag *item, const void *data, unsigned long si
 extern int parse_tag(struct tag *item);
 extern struct object *deref_tag(struct object *, const char *, int);
 extern struct object *deref_tag_noverify(struct object *);
-
+extern int gpg_verify_tag(const unsigned char *sha1, const char *report_name,
+			unsigned flags);
 #endif /* TAG_H */
-- 
2.8.0

[PATCH v6 6/6] tag -v: verfy directly rather than exec-ing verify-tag

[santiago]

From: Santiago Torres <santiago@nyu.edu>

tag -v forks into verify-tag, which only calls gpg_verify_tag().

Instead of forking to verify-tag, call gpg_verify_tag directly().

Helped-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Santiago Torres <santiago@nyu.edu>
---
 builtin/tag.c | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/builtin/tag.c b/builtin/tag.c
index 1705c94..7b2918e 100644
--- a/builtin/tag.c
+++ b/builtin/tag.c
@@ -104,13 +104,7 @@ static int delete_tag(const char *name, const char *ref,
 static int verify_tag(const char *name, const char *ref,
 				const unsigned char *sha1)
 {
-	const char *argv_verify_tag[] = {"verify-tag",
-					"-v", "SHA1_HEX", NULL};
-	argv_verify_tag[2] = sha1_to_hex(sha1);
-
-	if (run_command_v_opt(argv_verify_tag, RUN_GIT_CMD))
-		return error(_("could not verify the tag '%s'"), name);
-	return 0;
+	return gpg_verify_tag(sha1, name, GPG_VERIFY_VERBOSE);
 }
 
 static int do_sign(struct strbuf *buffer)
-- 
2.8.0

Re: [PATCH v6 6/6] tag -v: verfy directly rather than exec-ing verify-tag

[Eric Sunshine]

On Sun, Apr 17, 2016 at 6:27 PM,  <santiago@nyu.edu> wrote:
> tag -v forks into verify-tag, which only calls gpg_verify_tag().

"forks into" sounds odd.

> Instead of forking to verify-tag, call gpg_verify_tag directly().

s/ directly()/() directly/

I found the commit message of your previous version[1] more
descriptive and easier to understand (minus the grammo):

    Instead of running the verify-tag plumbing command, use the
    gpg_verify_tag() function to avoid doing an additional fork call.

The patch itself looks fine.

[1]: http://article.gmane.org/gmane.comp.version-control.git/290831

> Signed-off-by: Santiago Torres <santiago@nyu.edu>
> ---
> diff --git a/builtin/tag.c b/builtin/tag.c
> index 1705c94..7b2918e 100644
> --- a/builtin/tag.c
> +++ b/builtin/tag.c
> @@ -104,13 +104,7 @@ static int delete_tag(const char *name, const char *ref,
>  static int verify_tag(const char *name, const char *ref,
>                                 const unsigned char *sha1)
>  {
> -       const char *argv_verify_tag[] = {"verify-tag",
> -                                       "-v", "SHA1_HEX", NULL};
> -       argv_verify_tag[2] = sha1_to_hex(sha1);
> -
> -       if (run_command_v_opt(argv_verify_tag, RUN_GIT_CMD))
> -               return error(_("could not verify the tag '%s'"), name);
> -       return 0;
> +       return gpg_verify_tag(sha1, name, GPG_VERIFY_VERBOSE);
>  }
>
>  static int do_sign(struct strbuf *buffer)
> --

Re: [PATCH v6 0/6] Move PGP verification out of verify-tag

[Eric Sunshine]

On Sun, Apr 17, 2016 at 6:26 PM,  <santiago@nyu.edu> wrote:
> This is a follow up of [1], [2], [3], [4], and [5]. patches 1/6, 2/6 and 3/6
> are the same as the corresponding commits in pu.
>
> v6:
>  * As Junio suggested, updated 4/6, to include the name argument and the
>    ternary operator to provide more descriptive error messages. I propagated
>    these changes to 5/6 and 6/6 as well. I'm unsure about the 80-column
>    on 4/6, the ternary operator is rather long.
>  * Updated and reviewed the commit messages based on Eric and Junio's
>    feedback

Thanks. See my responses to individual patches for a few very minor
issues, not necessarily even deserving a re-roll. With or without the
code and commit message nits addressed, this version is:

    Reviewed-by: Eric Sunshine <sunshine@sunshineco.com>

Re: [PATCH v6 0/6] Move PGP verification out of verify-tag

[Junio C Hamano]

santiago@nyu.edu writes:

>    I'm unsure about the 80-column
>    on 4/6, the ternary operator is rather long.

You can do something like this:

        type = sha1_object_info(sha1, NULL);
        if (type != OBJ_TAG)
                return error("%s: cannot verify a non-tag object of type %s.",
                             report_name ?
                             report_name :
                             find_unique_abbrev(sha1, DEFAULT_ABBREV),
                             typename(type));

        buf = read_sha1_file(sha1, &type, &size);
        if (!buf)
                return error("%s: unable to read file.",
                             report_name ?
                             report_name :
                             find_unique_abbrev(sha1, DEFAULT_ABBREV));

Thanks.

Re: [PATCH v6 0/6] Move PGP verification out of verify-tag

[Jeff King]

On Sun, Apr 17, 2016 at 06:26:55PM -0400, santiago@nyu.edu wrote:

> From: Santiago Torres <santiago@nyu.edu>
> 
> This is a follow up of [1], [2], [3], [4], and [5]. patches 1/6, 2/6 and 3/6
> are the same as the corresponding commits in pu.

Aside from the minor point I mentioned, and the ones from Eric, this
looks good to me. None of them is that big a deal, but there are enough
that it's probably worth one more re-roll to clean them all up.

Thanks for sticking with it.

-Peff