[PATCH 0/5] refactor gpg-interface and add gpg verification for clones

[Hans Jerry Illikainen <hji@dyntopia.com>]

This series starts off with refactor of print_signature_buffer() to make
all output conditional based on the 'flags' parameter.  The print
function is also extended to optionally show one-line summaries of
signature verifications (previously that functionality existed in
verify_merge_signature()).

The helper functions for signature verification of commits are then
refactored.  The new gpg_verify_commit() function is modelled after
gpg_verify_tag().  This allows us to remove verify_merge_signature() and
the file-local run_gpg_verify() (from the verify-commit builtin).  It
also allows us to change check_commit_signature() into a local function
in commit.c.

A new configuration option is also introduced, gpg.verifySignatures.
This allows users to enable signature verification for all operations
that support it.  Individual operations can then use
<operation>.verifySignatures for finer-grained control.

And finally, signature verification is added to the clone builtin.  It
obeys --(no-)verify-signatures, clone.verifySignatures and
gpg.verifySignatures (in decreasing order of significance).

A notable quirk with signature verification for clones is
--recurse-submodules.  As mentioned in the commit message, the current
workaround is to disable signature verification for submodules by
passing --no-verify-signatures in submodule--helper.c

I'm very much open to suggestions for a better approach of dealing with
recursive clones.  However, I don't think --verify-signatures from the
clone builtin should propagate to submodules, because that would break a
workflow where a user:

1. trust the hash function
2. has audited an unsigned repository at a given point
3. has added the repository at that point as a submodule
4. has signed an object in the super repository where the audited
   submodule is referenced

So, I think it'd make more sense to introduce a
submodule.verifySignatures config knob to be used by both
--recurse-submodules and when the 'submodule' command is used directly.

I hope this patch series isn't too confusing/all over the place. I
wasn't sure whether the preparatory patches would have made sense in
isolation, so I opted to send it all in one go.

Hans Jerry Illikainen (5):
  gpg-interface: conditionally show the result in
    print_signature_buffer()
  gpg-interface: support one-line summaries in print_signature_buffer()
  commit: refactor signature verification helpers
  merge: verify signatures if gpg.verifySignatures is true
  clone: support signature verification

 Documentation/config.txt           |   2 +
 Documentation/config/clone.txt     |   3 +
 Documentation/config/gpg.txt       |   6 +
 Documentation/config/merge.txt     |   4 +-
 Documentation/git-clone.txt        |   4 +
 builtin/clone.c                    |  46 ++++
 builtin/merge.c                    |  22 +-
 builtin/pull.c                     |  18 +-
 builtin/submodule--helper.c        |   6 +
 builtin/tag.c                      |   4 +-
 builtin/verify-commit.c            |  26 +-
 builtin/verify-tag.c               |   4 +-
 commit.c                           |  58 ++--
 commit.h                           |  31 +--
 gpg-interface.c                    |  43 ++-
 gpg-interface.h                    |  11 +-
 pretty.c                           |   3 +-
 t/t5619-clone-verify-signatures.sh | 411 +++++++++++++++++++++++++++++
 t/t7612-merge-verify-signatures.sh |  27 ++
 tag.c                              |  19 +-
 20 files changed, 633 insertions(+), 115 deletions(-)
 create mode 100644 Documentation/config/clone.txt
 create mode 100755 t/t5619-clone-verify-signatures.sh

--
2.25.0.rc1.302.gc71d20beed