commit 94ff3fb6acdc73dd5e3ecfee1cf41683fc554593 from: Josh Rickmar via: Thomas Adam date: Sun Jul 03 22:15:15 2022 UTC create and verify tags signed by SSH keys This adds a new -s flag to 'got tag' that specifies the signer identity (for example, a key file) of the tagger. The tag object will include a signature that validates each of the tag object headers and the tag message. Verifying these signed tags requires maintaining an allowed signers file which maps signer identities (i.e. the email address of the tagger) to SSH public keys. See ssh-keygen(1) for more details of the allowed signers file. After creating this file and providing the path to it in got.conf(5) using the allowed_signers option, tags may be verified using with 'got tag -V tag_name'. The return code will be non-zero if a signature fails to verify. ok stsp@ commit - c4d68ce0204aead5a093258cb25988e5591fc080 commit + 94ff3fb6acdc73dd5e3ecfee1cf41683fc554593 blob - a813ce9d0611d996aea47e9cdad2d2e328318306 blob + f9e9feb14f2727ae89be67bb9bbc116c3ee8da1e --- regress/cmdline/tag.sh +++ regress/cmdline/tag.sh @@ -331,107 +331,11 @@ test_tag_create_ssh_signed() { ret=$? if [ $ret -ne 0 ]; then echo "got tag command failed unexpectedly" - diff -u $testroot/stdout.expected $testroot/stdout - test_done "$testroot" "$ret" - return 1 - fi - - if ! echo "$GOT_STDOUT" | grep -q "^signature: $GOOD_SIG"; then - echo "got tag command failed to validate signature" - test_done "$testroot" "1" - return 1 - fi - - # Ensure that Git recognizes and verifies the tag Got has created - (cd $testroot/repo && git checkout -q $tag) - ret=$? - if [ $ret -ne 0 ]; then - echo "git checkout command failed unexpectedly" - test_done "$testroot" "$ret" - return 1 - fi - (cd $testroot/repo && git config --local gpg.ssh.allowedSignersFile \ - $testroot/allowed_signers) - GIT_STDERR=$(cd $testroot/repo && git tag -v $tag 2>&1 1>/dev/null) - if ! echo "$GIT_STDERR" | grep -q "^$GOOD_SIG"; then - echo "git tag command failed to validate signature" - test_done "$testroot" "1" - return 1 - fi - - # Ensure Got recognizes the new tag - got checkout -c $tag $testroot/repo $testroot/wt >/dev/null - ret=$? - if [ $ret -ne 0 ]; then - echo "got checkout command failed unexpectedly" - test_done "$testroot" "$ret" - return 1 - fi - - # Create a tag based on implied worktree HEAD ref - (cd $testroot/wt && got tag -m 'test' $tag2 > $testroot/stdout) - ret=$? - if [ $ret -ne 0 ]; then - test_done "$testroot" "$ret" - return 1 - fi - - tag_id2=`got ref -r $testroot/repo -l \ - | grep "^refs/tags/$tag2" | tr -d ' ' | cut -d: -f2` - echo "Created tag $tag_id2" > $testroot/stdout.expected - cmp -s $testroot/stdout $testroot/stdout.expected - ret=$? - if [ $ret -ne 0 ]; then diff -u $testroot/stdout.expected $testroot/stdout test_done "$testroot" "$ret" return 1 fi - (cd $testroot/repo && git checkout -q $tag2) - ret=$? - if [ $ret -ne 0 ]; then - echo "git checkout command failed unexpectedly" - test_done "$testroot" "$ret" - return 1 - fi - - # Attempt to create a tag pointing at a non-commit - local tree_id=`git_show_tree $testroot/repo` - (cd $testroot/wt && got tag -m 'test' -c $tree_id foobar \ - 2> $testroot/stderr) - ret=$? - if [ $ret -eq 0 ]; then - echo "git tag command succeeded unexpectedly" - test_done "$testroot" "1" - return 1 - fi - - echo "got: commit $tree_id: object not found" \ - > $testroot/stderr.expected - cmp -s $testroot/stderr $testroot/stderr.expected - ret=$? - if [ $ret -ne 0 ]; then - diff -u $testroot/stderr.expected $testroot/stderr - test_done "$testroot" "$ret" - return 1 - fi - - got ref -r $testroot/repo -l > $testroot/stdout - echo "HEAD: $commit_id" > $testroot/stdout.expected - echo -n "refs/got/worktree/base-" >> $testroot/stdout.expected - cat $testroot/wt/.got/uuid | tr -d '\n' >> $testroot/stdout.expected - echo ": $commit_id" >> $testroot/stdout.expected - echo "refs/heads/master: $commit_id" >> $testroot/stdout.expected - echo "refs/tags/$tag: $tag_id" >> $testroot/stdout.expected - echo "refs/tags/$tag2: $tag_id2" >> $testroot/stdout.expected - cmp -s $testroot/stdout $testroot/stdout.expected - ret=$? - if [ $ret -ne 0 ]; then - diff -u $testroot/stdout.expected $testroot/stdout - fi - test_done "$testroot" "$ret" -} - test_tag_create_ssh_signed_missing_key() { local testroot=`test_init tag_create` local commit_id=`git_show_head $testroot/repo`