#!/bin/sh global test_description := ''signed tag tests'' source ./test-lib.sh source "$TEST_DIRECTORY/lib-gpg.sh" test_expect_success GPG 'create signed tags' ' echo 1 >file && git add file && test_tick && git commit -m initial && git tag -s -m initial initial && git branch side && echo 2 >file && test_tick && git commit -a -m second && git tag -s -m second second && git checkout side && echo 3 >elif && git add elif && test_tick && git commit -m "third on side" && git checkout master && test_tick && git merge -S side && git tag -s -m merge merge && echo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" && git tag -a -m fourth-unsigned fourth-unsigned && test_tick && git commit --amend -S -m "fourth signed" && git tag -s -m fourth fourth-signed && echo 5 >file && test_tick && git commit -a -m "fifth" && git tag fifth-unsigned && git config commit.gpgsign true && echo 6 >file && test_tick && git commit -a -m "sixth" && git tag -a -m sixth sixth-unsigned && test_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ && git tag -m seventh -s seventh-signed && echo 8 >file && test_tick && git commit -a -m eighth && git tag -uB7227189 -m eighth eighth-signed-alt ' test_expect_success GPG 'verify and show signatures' ' ( for tag in initial second merge fourth-signed sixth-signed seventh-signed do git verify-tag $tag 2>actual && grep "Good signature from" actual && ! grep "BAD signature from" actual && echo $tag OK || exit 1 done ) && ( for tag in fourth-unsigned fifth-unsigned sixth-unsigned do test_must_fail git verify-tag $tag 2>actual && ! grep "Good signature from" actual && ! grep "BAD signature from" actual && echo $tag OK || exit 1 done ) && ( for tag in eighth-signed-alt do git verify-tag $tag 2>actual && grep "Good signature from" actual && ! grep "BAD signature from" actual && grep "not certified" actual && echo $tag OK || exit 1 done ) ' test_expect_success GPG 'detect fudged signature' ' git cat-file tag seventh-signed >raw && sed -e "s/seventh/7th forged/" raw >forged1 && git hash-object -w -t tag forged1 >forged1.tag && test_must_fail git verify-tag $(cat forged1.tag) 2>actual1 && grep "BAD signature from" actual1 && ! grep "Good signature from" actual1 ' test_expect_success GPG 'verify signatures with --raw' ' ( for tag in initial second merge fourth-signed sixth-signed seventh-signed do git verify-tag --raw $tag 2>actual && grep "GOODSIG" actual && ! grep "BADSIG" actual && echo $tag OK || exit 1 done ) && ( for tag in fourth-unsigned fifth-unsigned sixth-unsigned do test_must_fail git verify-tag --raw $tag 2>actual && ! grep "GOODSIG" actual && ! grep "BADSIG" actual && echo $tag OK || exit 1 done ) && ( for tag in eighth-signed-alt do git verify-tag --raw $tag 2>actual && grep "GOODSIG" actual && ! grep "BADSIG" actual && grep "TRUST_UNDEFINED" actual && echo $tag OK || exit 1 done ) ' test_expect_success GPG 'verify multiple tags' ' tags="fourth-signed sixth-signed seventh-signed" && for i in $tags do git verify-tag -v --raw $i || return 1 done >expect.stdout 2>expect.stderr.1 && grep "^.GNUPG:." expect.stderr && git verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 && grep "^.GNUPG:." actual.stderr && test_cmp expect.stdout actual.stdout && test_cmp expect.stderr actual.stderr ' test_done (CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:test_description) op: Equal rhs: {(SQ <"signed tag tests">)} spids: [4] ) ] spids: [4] ) (C {(.)} {(./test-lib.sh)}) (C {(.)} {(DQ ($ VSub_Name "$TEST_DIRECTORY") (/lib-gpg.sh))}) (C {(test_expect_success)} {(GPG)} {(SQ <"create signed tags">)} { (SQ <"\n"> <"\techo 1 >file && git add file &&\n"> <"\ttest_tick && git commit -m initial &&\n"> <"\tgit tag -s -m initial initial &&\n"> <"\tgit branch side &&\n"> <"\n"> <"\techo 2 >file && test_tick && git commit -a -m second &&\n"> <"\tgit tag -s -m second second &&\n"> <"\n"> <"\tgit checkout side &&\n"> <"\techo 3 >elif && git add elif &&\n"> <"\ttest_tick && git commit -m \"third on side\" &&\n"> <"\n"> <"\tgit checkout master &&\n"> <"\ttest_tick && git merge -S side &&\n"> <"\tgit tag -s -m merge merge &&\n"> <"\n"> <"\techo 4 >file && test_tick && git commit -a -S -m \"fourth unsigned\" &&\n"> <"\tgit tag -a -m fourth-unsigned fourth-unsigned &&\n"> <"\n"> <"\ttest_tick && git commit --amend -S -m \"fourth signed\" &&\n"> <"\tgit tag -s -m fourth fourth-signed &&\n"> <"\n"> <"\techo 5 >file && test_tick && git commit -a -m \"fifth\" &&\n"> <"\tgit tag fifth-unsigned &&\n"> <"\n"> <"\tgit config commit.gpgsign true &&\n"> <"\techo 6 >file && test_tick && git commit -a -m \"sixth\" &&\n"> <"\tgit tag -a -m sixth sixth-unsigned &&\n"> <"\n"> <"\ttest_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ &&\n"> <"\tgit tag -m seventh -s seventh-signed &&\n"> <"\n"> <"\techo 8 >file && test_tick && git commit -a -m eighth &&\n"> <"\tgit tag -uB7227189 -m eighth eighth-signed-alt\n"> ) } ) (C {(test_expect_success)} {(GPG)} {(SQ <"verify and show signatures">)} { (SQ <"\n"> <"\t(\n"> <"\t\tfor tag in initial second merge fourth-signed sixth-signed seventh-signed\n"> <"\t\tdo\n"> <"\t\t\tgit verify-tag $tag 2>actual &&\n"> <"\t\t\tgrep \"Good signature from\" actual &&\n"> <"\t\t\t! grep \"BAD signature from\" actual &&\n"> <"\t\t\techo $tag OK || exit 1\n"> <"\t\tdone\n"> <"\t) &&\n"> <"\t(\n"> <"\t\tfor tag in fourth-unsigned fifth-unsigned sixth-unsigned\n"> <"\t\tdo\n"> <"\t\t\ttest_must_fail git verify-tag $tag 2>actual &&\n"> <"\t\t\t! grep \"Good signature from\" actual &&\n"> <"\t\t\t! grep \"BAD signature from\" actual &&\n"> <"\t\t\techo $tag OK || exit 1\n"> <"\t\tdone\n"> <"\t) &&\n"> <"\t(\n"> <"\t\tfor tag in eighth-signed-alt\n"> <"\t\tdo\n"> <"\t\t\tgit verify-tag $tag 2>actual &&\n"> <"\t\t\tgrep \"Good signature from\" actual &&\n"> <"\t\t\t! grep \"BAD signature from\" actual &&\n"> <"\t\t\tgrep \"not certified\" actual &&\n"> <"\t\t\techo $tag OK || exit 1\n"> <"\t\tdone\n"> <"\t)\n"> ) } ) (C {(test_expect_success)} {(GPG)} {(SQ <"detect fudged signature">)} { (SQ <"\n"> <"\tgit cat-file tag seventh-signed >raw &&\n"> <"\tsed -e \"s/seventh/7th forged/\" raw >forged1 &&\n"> <"\tgit hash-object -w -t tag forged1 >forged1.tag &&\n"> <"\ttest_must_fail git verify-tag $(cat forged1.tag) 2>actual1 &&\n"> <"\tgrep \"BAD signature from\" actual1 &&\n"> <"\t! grep \"Good signature from\" actual1\n"> ) } ) (C {(test_expect_success)} {(GPG)} {(SQ <"verify signatures with --raw">)} { (SQ <"\n"> <"\t(\n"> <"\t\tfor tag in initial second merge fourth-signed sixth-signed seventh-signed\n"> <"\t\tdo\n"> <"\t\t\tgit verify-tag --raw $tag 2>actual &&\n"> <"\t\t\tgrep \"GOODSIG\" actual &&\n"> <"\t\t\t! grep \"BADSIG\" actual &&\n"> <"\t\t\techo $tag OK || exit 1\n"> <"\t\tdone\n"> <"\t) &&\n"> <"\t(\n"> <"\t\tfor tag in fourth-unsigned fifth-unsigned sixth-unsigned\n"> <"\t\tdo\n"> <"\t\t\ttest_must_fail git verify-tag --raw $tag 2>actual &&\n"> <"\t\t\t! grep \"GOODSIG\" actual &&\n"> <"\t\t\t! grep \"BADSIG\" actual &&\n"> <"\t\t\techo $tag OK || exit 1\n"> <"\t\tdone\n"> <"\t) &&\n"> <"\t(\n"> <"\t\tfor tag in eighth-signed-alt\n"> <"\t\tdo\n"> <"\t\t\tgit verify-tag --raw $tag 2>actual &&\n"> <"\t\t\tgrep \"GOODSIG\" actual &&\n"> <"\t\t\t! grep \"BADSIG\" actual &&\n"> <"\t\t\tgrep \"TRUST_UNDEFINED\" actual &&\n"> <"\t\t\techo $tag OK || exit 1\n"> <"\t\tdone\n"> <"\t)\n"> ) } ) (C {(test_expect_success)} {(GPG)} {(SQ <"verify multiple tags">)} { (SQ <"\n"> <"\ttags=\"fourth-signed sixth-signed seventh-signed\" &&\n"> <"\tfor i in $tags\n"> <"\tdo\n"> <"\t\tgit verify-tag -v --raw $i || return 1\n"> <"\tdone >expect.stdout 2>expect.stderr.1 &&\n"> <"\tgrep \"^.GNUPG:.\" expect.stderr &&\n"> <"\tgit verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&\n"> <"\tgrep \"^.GNUPG:.\" actual.stderr &&\n"> <"\ttest_cmp expect.stdout actual.stdout &&\n"> <"\ttest_cmp expect.stderr actual.stderr\n"> ) } ) (C {(test_done)}) ] )