t/t7031-verify-tag-signed-ssh.sh

   1 #!/bin/sh
   2
   3 test_description='signed tag tests'
   4 GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
   5 export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
   6
   7 . ./test-lib.sh
   8 . "$TEST_DIRECTORY/lib-gpg.sh"
   9
  10 test_expect_success GPGSSH 'create signed tags ssh' '
  11         test_when_finished "test_unconfig commit.gpgsign" &&
  12         test_config gpg.format ssh &&
  13         test_config user.signingkey "${GPGSSH_KEY_PRIMARY}" &&
  14
  15         echo 1 >file && git add file &&
  16         test_tick && git commit -m initial &&
  17         git tag -s -m initial initial &&
  18         git branch side &&
  19
  20         echo 2 >file && test_tick && git commit -a -m second &&
  21         git tag -s -m second second &&
  22
  23         git checkout side &&
  24         echo 3 >elif && git add elif &&
  25         test_tick && git commit -m "third on side" &&
  26
  27         git checkout main &&
  28         test_tick && git merge -S side &&
  29         git tag -s -m merge merge &&
  30
  31         echo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" &&
  32         git tag -a -m fourth-unsigned fourth-unsigned &&
  33
  34         test_tick && git commit --amend -S -m "fourth signed" &&
  35         git tag -s -m fourth fourth-signed &&
  36
  37         echo 5 >file && test_tick && git commit -a -m "fifth" &&
  38         git tag fifth-unsigned &&
  39
  40         git config commit.gpgsign true &&
  41         echo 6 >file && test_tick && git commit -a -m "sixth" &&
  42         git tag -a -m sixth sixth-unsigned &&
  43
  44         test_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ &&
  45         git tag -m seventh -s seventh-signed &&
  46
  47         echo 8 >file && test_tick && git commit -a -m eighth &&
  48         git tag -u"${GPGSSH_KEY_UNTRUSTED}" -m eighth eighth-signed-alt
  49 '
  50
  51 test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'create signed tags with keys having defined lifetimes' '
  52         test_when_finished "test_unconfig commit.gpgsign" &&
  53         test_config gpg.format ssh &&
  54
  55         echo expired >file && test_tick && git commit -a -m expired -S"${GPGSSH_KEY_EXPIRED}" &&
  56         git tag -s -u "${GPGSSH_KEY_EXPIRED}" -m expired-signed expired-signed &&
  57
  58         echo notyetvalid >file && test_tick && git commit -a -m notyetvalid -S"${GPGSSH_KEY_NOTYETVALID}" &&
  59         git tag -s -u "${GPGSSH_KEY_NOTYETVALID}" -m notyetvalid-signed notyetvalid-signed &&
  60
  61         echo timeboxedvalid >file && test_tick && git commit -a -m timeboxedvalid -S"${GPGSSH_KEY_TIMEBOXEDVALID}" &&
  62         git tag -s -u "${GPGSSH_KEY_TIMEBOXEDVALID}" -m timeboxedvalid-signed timeboxedvalid-signed &&
  63
  64         echo timeboxedinvalid >file && test_tick && git commit -a -m timeboxedinvalid -S"${GPGSSH_KEY_TIMEBOXEDINVALID}" &&
  65         git tag -s -u "${GPGSSH_KEY_TIMEBOXEDINVALID}" -m timeboxedinvalid-signed timeboxedinvalid-signed
  66 '
  67
  68 test_expect_success GPGSSH 'verify and show ssh signatures' '
  69         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
  70         (
  71                 for tag in initial second merge fourth-signed sixth-signed seventh-signed
  72                 do
  73                         git verify-tag $tag 2>actual &&
  74                         grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
  75                         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
  76                         echo $tag OK || exit 1
  77                 done
  78         ) &&
  79         (
  80                 for tag in fourth-unsigned fifth-unsigned sixth-unsigned
  81                 do
  82                         test_must_fail git verify-tag $tag 2>actual &&
  83                         ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
  84                         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
  85                         echo $tag OK || exit 1
  86                 done
  87         ) &&
  88         (
  89                 for tag in eighth-signed-alt
  90                 do
  91                         test_must_fail git verify-tag $tag 2>actual &&
  92                         grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual &&
  93                         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
  94                         grep "${GPGSSH_KEY_NOT_TRUSTED}" actual &&
  95                         echo $tag OK || exit 1
  96                 done
  97         )
  98 '
  99
 100 test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag exits failure on expired signature key' '
 101         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 102         test_must_fail git verify-tag expired-signed 2>actual &&
 103         ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
 104 '
 105
 106 test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag exits failure on not yet valid signature key' '
 107         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 108         test_must_fail git verify-tag notyetvalid-signed 2>actual &&
 109         ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
 110 '
 111
 112 test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag succeeds with tag date and key validity matching' '
 113         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 114         git verify-tag timeboxedvalid-signed 2>actual &&
 115         grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
 116         ! grep "${GPGSSH_BAD_SIGNATURE}" actual
 117 '
 118
 119 test_expect_success GPGSSH,GPGSSH_VERIFYTIME 'verify-tag failes with tag date outside of key validity' '
 120         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 121         test_must_fail git verify-tag timeboxedinvalid-signed 2>actual &&
 122         ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual
 123 '
 124
 125 test_expect_success GPGSSH 'detect fudged ssh signature' '
 126         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 127         git cat-file tag seventh-signed >raw &&
 128         sed -e "/^tag / s/seventh/7th-forged/" raw >forged1 &&
 129         git hash-object -w -t tag forged1 >forged1.tag &&
 130         test_must_fail git verify-tag $(cat forged1.tag) 2>actual1 &&
 131         grep "${GPGSSH_BAD_SIGNATURE}" actual1 &&
 132         ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual1 &&
 133         ! grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual1
 134 '
 135
 136 test_expect_success GPGSSH 'verify ssh signatures with --raw' '
 137         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 138         (
 139                 for tag in initial second merge fourth-signed sixth-signed seventh-signed
 140                 do
 141                         git verify-tag --raw $tag 2>actual &&
 142                         grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
 143                         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
 144                         echo $tag OK || exit 1
 145                 done
 146         ) &&
 147         (
 148                 for tag in fourth-unsigned fifth-unsigned sixth-unsigned
 149                 do
 150                         test_must_fail git verify-tag --raw $tag 2>actual &&
 151                         ! grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
 152                         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
 153                         echo $tag OK || exit 1
 154                 done
 155         ) &&
 156         (
 157                 for tag in eighth-signed-alt
 158                 do
 159                         test_must_fail git verify-tag --raw $tag 2>actual &&
 160                         grep "${GPGSSH_GOOD_SIGNATURE_UNTRUSTED}" actual &&
 161                         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
 162                         echo $tag OK || exit 1
 163                 done
 164         )
 165 '
 166
 167 test_expect_success GPGSSH 'verify signatures with --raw ssh' '
 168         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 169         git verify-tag --raw sixth-signed 2>actual &&
 170         grep "${GPGSSH_GOOD_SIGNATURE_TRUSTED}" actual &&
 171         ! grep "${GPGSSH_BAD_SIGNATURE}" actual &&
 172         echo sixth-signed OK
 173 '
 174
 175 test_expect_success GPGSSH 'verify multiple tags ssh' '
 176         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 177         tags="seventh-signed sixth-signed" &&
 178         for i in $tags
 179         do
 180                 git verify-tag -v --raw $i || return 1
 181         done >expect.stdout 2>expect.stderr.1 &&
 182         grep "^${GPGSSH_GOOD_SIGNATURE_TRUSTED}" <expect.stderr.1 >expect.stderr &&
 183         git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&
 184         grep "^${GPGSSH_GOOD_SIGNATURE_TRUSTED}" <actual.stderr.1 >actual.stderr &&
 185         test_cmp expect.stdout actual.stdout &&
 186         test_cmp expect.stderr actual.stderr
 187 '
 188
 189 test_expect_success GPGSSH 'verifying tag with --format - ssh' '
 190         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 191         cat >expect <<-\EOF &&
 192         tagname : fourth-signed
 193         EOF
 194         git verify-tag --format="tagname : %(tag)" "fourth-signed" >actual &&
 195         test_cmp expect actual
 196 '
 197
 198 test_expect_success GPGSSH 'verifying a forged tag with --format should fail silently - ssh' '
 199         test_must_fail git verify-tag --format="tagname : %(tag)" $(cat forged1.tag) >actual-forged &&
 200         test_must_be_empty actual-forged
 201 '
 202
 203 test_expect_success GPGSSH 'rev-list --format=%G' '
 204         test_config gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
 205         git rev-list -1 --format="%G? %H" sixth-signed >actual &&
 206         cat >expect <<-EOF &&
 207         commit $(git rev-parse sixth-signed^0)
 208         G $(git rev-parse sixth-signed^0)
 209         EOF
 210         test_cmp expect actual
 211 '
 212
 213 test_done