(CommandList
  children: [
    (Assignment
      keyword: Assign_None
      pairs: [
        (assign_pair
          lhs: (LhsName name:test_description)
          op: Equal
          rhs: {(SQ <'signed tag tests'>)}
          spids: [4]
        )
      ]
      spids: [4]
    )
    (C {(.)} {(./test-lib.sh)})
    (C {(.)} {(DQ ($ VSub_Name '$TEST_DIRECTORY') (/lib-gpg.sh))})
    (C {(test_expect_success)} {(GPG)} {(SQ <'create signed tags'>)} 
      {
        (SQ <'\n'> <'\techo 1 >file && git add file &&\n'> 
          <'\ttest_tick && git commit -m initial &&\n'> <'\tgit tag -s -m initial initial &&\n'> <'\tgit branch side &&\n'> <'\n'> 
          <'\techo 2 >file && test_tick && git commit -a -m second &&\n'> <'\tgit tag -s -m second second &&\n'> <'\n'> <'\tgit checkout side &&\n'> 
          <'\techo 3 >elif && git add elif &&\n'> <'\ttest_tick && git commit -m "third on side" &&\n'> <'\n'> <'\tgit checkout master &&\n'> 
          <'\ttest_tick && git merge -S side &&\n'> <'\tgit tag -s -m merge merge &&\n'> <'\n'> 
          <'\techo 4 >file && test_tick && git commit -a -S -m "fourth unsigned" &&\n'> <'\tgit tag -a -m fourth-unsigned fourth-unsigned &&\n'> <'\n'> 
          <'\ttest_tick && git commit --amend -S -m "fourth signed" &&\n'> <'\tgit tag -s -m fourth fourth-signed &&\n'> <'\n'> 
          <'\techo 5 >file && test_tick && git commit -a -m "fifth" &&\n'> <'\tgit tag fifth-unsigned &&\n'> <'\n'> <'\tgit config commit.gpgsign true &&\n'> 
          <'\techo 6 >file && test_tick && git commit -a -m "sixth" &&\n'> <'\tgit tag -a -m sixth sixth-unsigned &&\n'> <'\n'> 
          <'\ttest_tick && git rebase -f HEAD^^ && git tag -s -m 6th sixth-signed HEAD^ &&\n'> <'\tgit tag -m seventh -s seventh-signed &&\n'> <'\n'> 
          <'\techo 8 >file && test_tick && git commit -a -m eighth &&\n'> <'\tgit tag -uB7227189 -m eighth eighth-signed-alt\n'>
        )
      }
    )
    (C {(test_expect_success)} {(GPG)} {(SQ <'verify and show signatures'>)} 
      {
        (SQ <'\n'> <'\t(\n'> 
          <'\t\tfor tag in initial second merge fourth-signed sixth-signed seventh-signed\n'> <'\t\tdo\n'> <'\t\t\tgit verify-tag $tag 2>actual &&\n'> 
          <'\t\t\tgrep "Good signature from" actual &&\n'> <'\t\t\t! grep "BAD signature from" actual &&\n'> <'\t\t\techo $tag OK || exit 1\n'> <'\t\tdone\n'> 
          <'\t) &&\n'> <'\t(\n'> <'\t\tfor tag in fourth-unsigned fifth-unsigned sixth-unsigned\n'> <'\t\tdo\n'> 
          <'\t\t\ttest_must_fail git verify-tag $tag 2>actual &&\n'> <'\t\t\t! grep "Good signature from" actual &&\n'> <'\t\t\t! grep "BAD signature from" actual &&\n'> 
          <'\t\t\techo $tag OK || exit 1\n'> <'\t\tdone\n'> <'\t) &&\n'> <'\t(\n'> <'\t\tfor tag in eighth-signed-alt\n'> <'\t\tdo\n'> 
          <'\t\t\tgit verify-tag $tag 2>actual &&\n'> <'\t\t\tgrep "Good signature from" actual &&\n'> <'\t\t\t! grep "BAD signature from" actual &&\n'> 
          <'\t\t\tgrep "not certified" actual &&\n'> <'\t\t\techo $tag OK || exit 1\n'> <'\t\tdone\n'> <'\t)\n'>
        )
      }
    )
    (C {(test_expect_success)} {(GPG)} {(SQ <'detect fudged signature'>)} 
      {
        (SQ <'\n'> <'\tgit cat-file tag seventh-signed >raw &&\n'> 
          <'\tsed -e "s/seventh/7th forged/" raw >forged1 &&\n'> <'\tgit hash-object -w -t tag forged1 >forged1.tag &&\n'> 
          <'\ttest_must_fail git verify-tag $(cat forged1.tag) 2>actual1 &&\n'> <'\tgrep "BAD signature from" actual1 &&\n'> <'\t! grep "Good signature from" actual1\n'>
        )
      }
    )
    (C {(test_expect_success)} {(GPG)} {(SQ <'verify signatures with --raw'>)} 
      {
        (SQ <'\n'> <'\t(\n'> 
          <'\t\tfor tag in initial second merge fourth-signed sixth-signed seventh-signed\n'> <'\t\tdo\n'> <'\t\t\tgit verify-tag --raw $tag 2>actual &&\n'> <'\t\t\tgrep "GOODSIG" actual &&\n'> 
          <'\t\t\t! grep "BADSIG" actual &&\n'> <'\t\t\techo $tag OK || exit 1\n'> <'\t\tdone\n'> <'\t) &&\n'> <'\t(\n'> 
          <'\t\tfor tag in fourth-unsigned fifth-unsigned sixth-unsigned\n'> <'\t\tdo\n'> <'\t\t\ttest_must_fail git verify-tag --raw $tag 2>actual &&\n'> 
          <'\t\t\t! grep "GOODSIG" actual &&\n'> <'\t\t\t! grep "BADSIG" actual &&\n'> <'\t\t\techo $tag OK || exit 1\n'> <'\t\tdone\n'> <'\t) &&\n'> 
          <'\t(\n'> <'\t\tfor tag in eighth-signed-alt\n'> <'\t\tdo\n'> <'\t\t\tgit verify-tag --raw $tag 2>actual &&\n'> 
          <'\t\t\tgrep "GOODSIG" actual &&\n'> <'\t\t\t! grep "BADSIG" actual &&\n'> <'\t\t\tgrep "TRUST_UNDEFINED" actual &&\n'> 
          <'\t\t\techo $tag OK || exit 1\n'> <'\t\tdone\n'> <'\t)\n'>
        )
      }
    )
    (C {(test_expect_success)} {(GPG)} {(SQ <'verify multiple tags'>)} 
      {
        (SQ <'\n'> <'\ttags="fourth-signed sixth-signed seventh-signed" &&\n'> <'\tfor i in $tags\n'> 
          <'\tdo\n'> <'\t\tgit verify-tag -v --raw $i || return 1\n'> <'\tdone >expect.stdout 2>expect.stderr.1 &&\n'> 
          <'\tgrep "^.GNUPG:." <expect.stderr.1 >expect.stderr &&\n'> <'\tgit verify-tag -v --raw $tags >actual.stdout 2>actual.stderr.1 &&\n'> 
          <'\tgrep "^.GNUPG:." <actual.stderr.1 >actual.stderr &&\n'> <'\ttest_cmp expect.stdout actual.stdout &&\n'> <'\ttest_cmp expect.stderr actual.stderr\n'>
        )
      }
    )
    (C {(test_done)})
  ]
)