mirrors/git
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-11-01 06:47:52 +01:00
Code Activity
git/t/lib-gpg.sh

88 lines
2.9 KiB
Bash
Raw Normal View History

t7004: factor out gpg setup Other test scripts may want to look at or verify signed tags, and the setup is non-trivial. Let's factor this out into lib-gpg.sh for other tests to use. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-07 19:42:39 +02:00
#!/bin/sh
lib-gpg.sh: use the $( ... ) construct for command substitution The Git CodingGuidelines prefer the $(...) construct for command substitution instead of using the backquotes `...`. The backquoted form is the traditional method for command substitution, and is supported by POSIX. However, all but the simplest uses become complicated quickly. In particular, embedded command substitutions and/or the use of double quotes require careful escaping with the backslash character. The patch was generated by: for _f in $(find . -name "*.sh") do sed -i 's@`\(.*\)`@$(\1)@g' ${_f} done and then carefully proof-read. Signed-off-by: Elia Pinto <gitter.spiros@gmail.com> Reviewed-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-04-23 15:44:05 +02:00
gpg_version=$(gpg --version 2>&1)
lib-gpg: drop unnecessary "missing GPG" warning When 37d3e85 (t7004: factor out gpg setup, 2011-09-07) pulled gpg detection code out of t7004-tag.sh and turned it into a standard test prerequisite, it added an unconditional "missing GPG" warning when gpg is not detected. However, this is redundant since all tests which require GPG already warn via either 'test_expect_success GPG' ("skipping: missing GPG") on a test-by-test basis, or when skipping all tests in a script ("skipping all foobar tests; missing GPG"). Consequently, the extra warning from lib-gpg.sh is unnecessary, so retire it. Signed-off-by: Eric Sunshine <sunshine@sunshineco.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-07 01:10:24 +01:00
if test $? != 127
then
t7004: factor out gpg setup Other test scripts may want to look at or verify signed tags, and the setup is non-trivial. Let's factor this out into lib-gpg.sh for other tests to use. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-07 19:42:39 +02:00
# As said here: http://www.gnupg.org/documentation/faqs.html#q6.19
# the gpg version 1.0.6 didn't parse trust packets correctly, so for
# that version, creation of signed tags using the generated key fails.
case "$gpg_version" in
'gpg (GnuPG) 1.0.6'*)
say "Your version of gpg (1.0.6) is too buggy for testing"
;;
*)
tests: make comment on GPG keyring match the code GnuPG homedir is generated on the fly and keys are imported from armored key file. Make comment match available key info and new key generation procedure. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-16 09:40:05 +01:00
# Available key info:
# * Type DSA and Elgamal, size 2048 bits, no expiration date,
# name and email: C O Mitter <committer@example.com>
# * Type RSA, size 2048 bits, no expiration date,
# name and email: Eris Discordia <discord@example.net>
t7004: factor out gpg setup Other test scripts may want to look at or verify signed tags, and the setup is non-trivial. Let's factor this out into lib-gpg.sh for other tests to use. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-07 19:42:39 +02:00
# No password given, to enable non-interactive operation.
tests: make comment on GPG keyring match the code GnuPG homedir is generated on the fly and keys are imported from armored key file. Make comment match available key info and new key generation procedure. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-16 09:40:05 +01:00
# To generate new key:
# gpg --homedir /tmp/gpghome --gen-key
# To write armored exported key to keyring:
# gpg --homedir /tmp/gpghome --export-secret-keys \
# --armor 0xDEADBEEF >> lib-gpg/keyring.gpg
t/lib-gpg: include separate public keys in keyring.gpg Since 1e3eefb (tests: replace binary GPG keyrings with ASCII-armored keys, 2014-12-12), we import our test GPG keys from a single file. Each keypair in the import stream contains both the secret and public keys. However, older versions of gpg reportedly fail to import the public half of the key. We can solve this by including duplicates of the public keys separately. The duplicates are ignored by modern gpg, and this makes older versions work. Reported by Tom G. Christensen <tgc@statsbiblioteket.dk> on gpg 1.2.6 (from RHEL4). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-01-29 16:43:20 +01:00
# gpg --homedir /tmp/gpghome --export \
# --armor 0xDEADBEEF >> lib-gpg/keyring.gpg
tests: make comment on GPG keyring match the code GnuPG homedir is generated on the fly and keys are imported from armored key file. Make comment match available key info and new key generation procedure. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-16 09:40:05 +01:00
# To export ownertrust:
# gpg --homedir /tmp/gpghome --export-ownertrust \
# > lib-gpg/ownertrust
tests: squelch noise from GPG machinery set-up It is distracting to let the GPG message while setting up the test gpghome leak into the test output, especially without running these tests with "-v" option. The splitting of RFC1991 prerequiste part is about future-proofing. When we want to define other kinds of specific prerequisites in the future, we'd prefer to see it done separately from the basic set-up code. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12 21:33:56 +01:00
mkdir ./gpghome &&
chmod 0700 ./gpghome &&
GNUPGHOME="$(pwd)/gpghome" &&
export GNUPGHOME &&
t/lib-gpg: fix gpgconf stderr redirect to /dev/null In 29ff1f8f74 (t: lib-gpg: flush gpg agent on startup, 2017-07-20), a call to gpgconf was added to kill the gpg-agent. The intention was to ignore all output from the call, but the order of the redirection needs to be switched to ensure that both stdout and stderr are redirected to /dev/null. Without this, gpgconf from gnupg-2.0 releases would output 'gpgconf: invalid option "--kill"' each time it was called. Signed-off-by: Todd Zullinger <tmz@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-13 22:07:45 +01:00
(gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) &&
tests: squelch noise from GPG machinery set-up It is distracting to let the GPG message while setting up the test gpghome leak into the test output, especially without running these tests with "-v" option. The splitting of RFC1991 prerequiste part is about future-proofing. When we want to define other kinds of specific prerequisites in the future, we'd prefer to see it done separately from the basic set-up code. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12 21:33:56 +01:00
gpg --homedir "${GNUPGHOME}" 2>/dev/null --import \
"$TEST_DIRECTORY"/lib-gpg/keyring.gpg &&
gpg --homedir "${GNUPGHOME}" 2>/dev/null --import-ownertrust \
"$TEST_DIRECTORY"/lib-gpg/ownertrust &&
t/lib-gpg: sanity-check that we can actually sign Some older versions of gpg (reportedly v1.2.6 from RHEL4) cannot import the keyrings found in our test suite, and thus cannot even make a signature. The previous change works it around, but we cannot anticipate breakages update to GPG would cause in the future. Do a test-sign before declaring the GPG prerequisite fulfilled to future-proof our tests. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-01-29 16:51:11 +01:00
gpg --homedir "${GNUPGHOME}" </dev/null >/dev/null 2>&1 \
--sign -u committer@example.com &&
gpg-interface t: extend the existing GPG tests with GPGSM Add test cases to cover the new X509/gpgsm support. Most of them resemble existing ones. They just switch the format to x509 and set the signingkey when creating signatures. Validation of signatures does not need any configuration of git, it does need gpgsm to be configured to trust the key(-chain). Several of the testcases build on top of existing gpg testcases. The commit ships a self-signed key for committer@example.com and configures gpgsm to trust it. Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-07-20 10:28:07 +02:00
test_set_prereq GPG &&
# Available key info:
# * see t/lib-gpg/gpgsm-gen-key.in
# To generate new certificate:
# * no passphrase
# gpgsm --homedir /tmp/gpghome/ \
# -o /tmp/gpgsm.crt.user \
# --generate-key \
# --batch t/lib-gpg/gpgsm-gen-key.in
# To import certificate:
# gpgsm --homedir /tmp/gpghome/ \
# --import /tmp/gpgsm.crt.user
# To export into a .p12 we can later import:
# gpgsm --homedir /tmp/gpghome/ \
# -o t/lib-gpg/gpgsm_cert.p12 \
# --export-secret-key-p12 "committer@example.com"
echo | gpgsm --homedir "${GNUPGHOME}" 2>/dev/null \
--passphrase-fd 0 --pinentry-mode loopback \
--import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 &&
tests: standardize pipe placement Instead of using a line-continuation and pipe on the second line, take advantage of the shell's implicit line continuation after a pipe character. So for example, instead of some long line \ | next line use some long line | next line And add a blank line before and after the pipe where it aids readability (it usually does). This better matches the coding style documented in Documentation/CodingGuidelines and used in shell scripts elsewhere in the tree. Signed-off-by: Matthew DeVore <matvore@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-05 23:54:03 +02:00
gpgsm --homedir "${GNUPGHOME}" 2>/dev/null -K |
grep fingerprint: |
cut -d" " -f4 |
tr -d '\n' >"${GNUPGHOME}/trustlist.txt" &&
gpg-interface t: extend the existing GPG tests with GPGSM Add test cases to cover the new X509/gpgsm support. Most of them resemble existing ones. They just switch the format to x509 and set the signingkey when creating signatures. Validation of signatures does not need any configuration of git, it does need gpgsm to be configured to trust the key(-chain). Several of the testcases build on top of existing gpg testcases. The commit ships a self-signed key for committer@example.com and configures gpgsm to trust it. Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-07-20 10:28:07 +02:00
echo " S relax" >> ${GNUPGHOME}/trustlist.txt &&
(gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) &&
echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \
-u committer@example.com -o /dev/null --sign - 2>&1 &&
test_set_prereq GPGSM
t7004: factor out gpg setup Other test scripts may want to look at or verify signed tags, and the setup is non-trivial. Let's factor this out into lib-gpg.sh for other tests to use. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-07 19:42:39 +02:00
;;
esac
fi
for-each-ref: add split message parts to %(contents:*). The %(body) placeholder returns the whole body of a tag or commit, including the signature. However, callers may want to get just the body without signature, or just the signature. Rather than change the meaning of %(body), which might break some scripts, this patch introduces a new set of placeholders which break down the %(contents) placeholder into its constituent parts. [jk: initial patch by mg, rebased on top of my refactoring and with tests by me] Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-07 19:46:08 +02:00
tests: squelch noise from GPG machinery set-up It is distracting to let the GPG message while setting up the test gpghome leak into the test output, especially without running these tests with "-v" option. The splitting of RFC1991 prerequiste part is about future-proofing. When we want to define other kinds of specific prerequisites in the future, we'd prefer to see it done separately from the basic set-up code. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12 21:33:56 +01:00
if test_have_prereq GPG &&
echo | gpg --homedir "${GNUPGHOME}" -b --rfc1991 >/dev/null 2>&1
then
test_set_prereq RFC1991
fi
for-each-ref: add split message parts to %(contents:*). The %(body) placeholder returns the whole body of a tag or commit, including the signature. However, callers may want to get just the body without signature, or just the signature. Rather than change the meaning of %(body), which might break some scripts, this patch introduces a new set of placeholders which break down the %(contents) placeholder into its constituent parts. [jk: initial patch by mg, rebased on top of my refactoring and with tests by me] Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-07 19:46:08 +02:00
sanitize_pgp() {
perl -ne '
/^-----END PGP/ and $in_pgp = 0;
print unless $in_pgp;
/^-----BEGIN PGP/ and $in_pgp = 1;
'
}
Copy permalink