averello/git-mirror
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2025-12-12 20:36:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'cc/fast-import-strip-if-invalid'

Browse Source 
"git fast-import" learns "--strip-if-invalid" option to drop
invalid cryptographic signature from objects.

* cc/fast-import-strip-if-invalid:
  fast-import: add 'strip-if-invalid' mode to --signed-commits=<mode>
  commit: refactor verify_commit_buffer()
  fast-import: refactor finalize_commit_buffer()
This commit is contained in:
Junio C Hamano
2025-12-05 14:49:58 +09:00
parent 85f99338e1 c20f112e51
commit 1b40ddc1a5
8 changed files with 205 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
Documentation/git-fast-import.adoc
View File

@@ -66,15 +66,26 @@ fast-import stream! This option is enabled automatically for
remote-helpers that use the `import` capability, as they are remote-helpers that use the `import` capability, as they are
already trusted to run their own code. already trusted to run their own code.
--signed-tags=(verbatim|warn-verbatim|warn-strip|strip|abort):: `--signed-tags=(verbatim|warn-verbatim|warn-strip|strip|abort)`::
Specify how to handle signed tags. Behaves in the same way Specify how to handle signed tags. Behaves in the same way as
as the same option in linkgit:git-fast-export[1], except that the `--signed-commits=<mode>` below, except that the
default is 'verbatim' (instead of 'abort'). `strip-if-invalid` mode is not yet supported. Like for signed
commits, the default mode is `verbatim`.
--signed-commits=(verbatim|warn-verbatim|warn-strip|strip|abort):: `--signed-commits=<mode>`::
Specify how to handle signed commits. Behaves in the same way Specify how to handle signed commits. The following <mode>s
as the same option in linkgit:git-fast-export[1], except that are supported:
default is 'verbatim' (instead of 'abort'). +
* `verbatim`, which is the default, will silently import commit
signatures.
* `warn-verbatim` will import them, but will display a warning.
* `abort` will make this program die when encountering a signed
commit.
* `strip` will silently make the commits unsigned.
* `warn-strip` will make them unsigned, but will display a warning.
* `strip-if-invalid` will check signatures and, if they are invalid,
will strip them and display a warning. The validation is performed
in the same way as linkgit:git-verify-commit[1] does it.
Options for Frontends Options for Frontends
~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~

36
builtin/fast-export.c
View File

@@ -797,10 +797,7 @@ static void handle_commit(struct commit *commit, struct rev_info *rev,
(int)(committer_end - committer), committer); (int)(committer_end - committer), committer);
if (signatures.nr) { if (signatures.nr) {
switch (signed_commit_mode) { switch (signed_commit_mode) {
case SIGN_ABORT: /* Exporting modes */
die(_("encountered signed commit %s; use "
"--signed-commits=<mode> to handle it"),
oid_to_hex(&commit->object.oid));
case SIGN_WARN_VERBATIM: case SIGN_WARN_VERBATIM:
warning(_("exporting %"PRIuMAX" signature(s) for commit %s"), warning(_("exporting %"PRIuMAX" signature(s) for commit %s"),
(uintmax_t)signatures.nr, oid_to_hex(&commit->object.oid)); (uintmax_t)signatures.nr, oid_to_hex(&commit->object.oid));
@@ -811,12 +808,25 @@ static void handle_commit(struct commit *commit, struct rev_info *rev,
print_signature(item->string, item->util); print_signature(item->string, item->util);
} }
break; break;
/* Stripping modes */
case SIGN_WARN_STRIP: case SIGN_WARN_STRIP:
warning(_("stripping signature(s) from commit %s"), warning(_("stripping signature(s) from commit %s"),
oid_to_hex(&commit->object.oid)); oid_to_hex(&commit->object.oid));
/* fallthru */ /* fallthru */
case SIGN_STRIP: case SIGN_STRIP:
break; break;
/* Aborting modes */
case SIGN_ABORT:
die(_("encountered signed commit %s; use "
"--signed-commits=<mode> to handle it"),
oid_to_hex(&commit->object.oid));
case SIGN_STRIP_IF_INVALID:
die(_("'strip-if-invalid' is not a valid mode for "
"git fast-export with --signed-commits=<mode>"));
default:
BUG("invalid signed_commit_mode value %d", signed_commit_mode);
} }
string_list_clear(&signatures, 0); string_list_clear(&signatures, 0);
} }
@@ -935,16 +945,15 @@ static void handle_tag(const char *name, struct tag *tag)
size_t sig_offset = parse_signed_buffer(message, message_size); size_t sig_offset = parse_signed_buffer(message, message_size);
if (sig_offset < message_size) if (sig_offset < message_size)
switch (signed_tag_mode) { switch (signed_tag_mode) {
case SIGN_ABORT: /* Exporting modes */
die(_("encountered signed tag %s; use "
"--signed-tags=<mode> to handle it"),
oid_to_hex(&tag->object.oid));
case SIGN_WARN_VERBATIM: case SIGN_WARN_VERBATIM:
warning(_("exporting signed tag %s"), warning(_("exporting signed tag %s"),
oid_to_hex(&tag->object.oid)); oid_to_hex(&tag->object.oid));
/* fallthru */ /* fallthru */
case SIGN_VERBATIM: case SIGN_VERBATIM:
break; break;
/* Stripping modes */
case SIGN_WARN_STRIP: case SIGN_WARN_STRIP:
warning(_("stripping signature from tag %s"), warning(_("stripping signature from tag %s"),
oid_to_hex(&tag->object.oid)); oid_to_hex(&tag->object.oid));
@@ -952,6 +961,17 @@ static void handle_tag(const char *name, struct tag *tag)
case SIGN_STRIP: case SIGN_STRIP:
message_size = sig_offset; message_size = sig_offset;
break; break;
/* Aborting modes */
case SIGN_ABORT:
die(_("encountered signed tag %s; use "
"--signed-tags=<mode> to handle it"),
oid_to_hex(&tag->object.oid));
case SIGN_STRIP_IF_INVALID:
die(_("'strip-if-invalid' is not a valid mode for "
"git fast-export with --signed-tags=<mode>"));
default:
BUG("invalid signed_commit_mode value %d", signed_commit_mode);
} }
} }

74
builtin/fast-import.c
View File

@@ -2772,7 +2772,7 @@ static void add_gpgsig_to_commit(struct strbuf *commit_data,
{ {
struct string_list siglines = STRING_LIST_INIT_NODUP; struct string_list siglines = STRING_LIST_INIT_NODUP;
if (!sig->hash_algo) if (!sig || !sig->hash_algo)
return; return;
strbuf_addstr(commit_data, header); strbuf_addstr(commit_data, header);
@@ -2815,6 +2815,57 @@ static void import_one_signature(struct signature_data *sig_sha1,
die(_("parse_one_signature() returned unknown hash algo")); die(_("parse_one_signature() returned unknown hash algo"));
} }
static void finalize_commit_buffer(struct strbuf *new_data,
struct signature_data *sig_sha1,
struct signature_data *sig_sha256,
struct strbuf *msg)
{
add_gpgsig_to_commit(new_data, "gpgsig ", sig_sha1);
add_gpgsig_to_commit(new_data, "gpgsig-sha256 ", sig_sha256);
strbuf_addch(new_data, '\n');
strbuf_addbuf(new_data, msg);
}
static void handle_strip_if_invalid(struct strbuf *new_data,
struct signature_data *sig_sha1,
struct signature_data *sig_sha256,
struct strbuf *msg)
{
struct strbuf tmp_buf = STRBUF_INIT;
struct signature_check signature_check = { 0 };
int ret;
/* Check signature in a temporary commit buffer */
strbuf_addbuf(&tmp_buf, new_data);
finalize_commit_buffer(&tmp_buf, sig_sha1, sig_sha256, msg);
ret = verify_commit_buffer(tmp_buf.buf, tmp_buf.len, &signature_check);
if (ret) {
const char *signer = signature_check.signer ?
signature_check.signer : _("unknown");
const char *subject;
int subject_len = find_commit_subject(msg->buf, &subject);
if (subject_len > 100)
warning(_("stripping invalid signature for commit '%.100s...'\n"
" allegedly by %s"), subject, signer);
else if (subject_len > 0)
warning(_("stripping invalid signature for commit '%.*s'\n"
" allegedly by %s"), subject_len, subject, signer);
else
warning(_("stripping invalid signature for commit\n"
" allegedly by %s"), signer);
finalize_commit_buffer(new_data, NULL, NULL, msg);
} else {
strbuf_swap(new_data, &tmp_buf);
}
signature_check_clear(&signature_check);
strbuf_release(&tmp_buf);
}
static void parse_new_commit(const char *arg) static void parse_new_commit(const char *arg)
{ {
static struct strbuf msg = STRBUF_INIT; static struct strbuf msg = STRBUF_INIT;
@@ -2866,6 +2917,7 @@ static void parse_new_commit(const char *arg)
warning(_("importing a commit signature verbatim")); warning(_("importing a commit signature verbatim"));
/* fallthru */ /* fallthru */
case SIGN_VERBATIM: case SIGN_VERBATIM:
case SIGN_STRIP_IF_INVALID:
import_one_signature(&sig_sha1, &sig_sha256, v); import_one_signature(&sig_sha1, &sig_sha256, v);
break; break;
@@ -2950,11 +3002,12 @@ static void parse_new_commit(const char *arg)
"encoding %s\n", "encoding %s\n",
encoding); encoding);
add_gpgsig_to_commit(&new_data, "gpgsig ", &sig_sha1); if (signed_commit_mode == SIGN_STRIP_IF_INVALID &&
add_gpgsig_to_commit(&new_data, "gpgsig-sha256 ", &sig_sha256); (sig_sha1.hash_algo || sig_sha256.hash_algo))
handle_strip_if_invalid(&new_data, &sig_sha1, &sig_sha256, &msg);
else
finalize_commit_buffer(&new_data, &sig_sha1, &sig_sha256, &msg);
strbuf_addch(&new_data, '\n');
strbuf_addbuf(&new_data, &msg);
free(author); free(author);
free(committer); free(committer);
free(encoding); free(encoding);
@@ -2975,9 +3028,6 @@ static void handle_tag_signature(struct strbuf *msg, const char *name)
switch (signed_tag_mode) { switch (signed_tag_mode) {
/* First, modes that don't change anything */ /* First, modes that don't change anything */
case SIGN_ABORT:
die(_("encountered signed tag; use "
"--signed-tags=<mode> to handle it"));
case SIGN_WARN_VERBATIM: case SIGN_WARN_VERBATIM:
warning(_("importing a tag signature verbatim for tag '%s'"), name); warning(_("importing a tag signature verbatim for tag '%s'"), name);
/* fallthru */ /* fallthru */
@@ -2994,7 +3044,13 @@ static void handle_tag_signature(struct strbuf *msg, const char *name)
strbuf_setlen(msg, sig_offset); strbuf_setlen(msg, sig_offset);
break; break;
/* Third, BUG */ /* Third, aborting modes */
case SIGN_ABORT:
die(_("encountered signed tag; use "
"--signed-tags=<mode> to handle it"));
case SIGN_STRIP_IF_INVALID:
die(_("'strip-if-invalid' is not a valid mode for "
"git fast-import with --signed-tags=<mode>"));
default: default:
BUG("invalid signed_tag_mode value %d from tag '%s'", BUG("invalid signed_tag_mode value %d from tag '%s'",
signed_tag_mode, name); signed_tag_mode, name);

17
commit.c
View File

@@ -1315,7 +1315,8 @@ free_return:
free(buf); free(buf);
} }
int check_commit_signature(const struct commit *commit, struct signature_check *sigc) int verify_commit_buffer(const char *buffer, size_t size,
struct signature_check *sigc)
{ {
struct strbuf payload = STRBUF_INIT; struct strbuf payload = STRBUF_INIT;
struct strbuf signature = STRBUF_INIT; struct strbuf signature = STRBUF_INIT;
@@ -1323,7 +1324,8 @@ int check_commit_signature(const struct commit *commit, struct signature_check *
sigc->result = 'N'; sigc->result = 'N';
if (parse_signed_commit(commit, &payload, &signature, the_hash_algo) <= 0) if (parse_buffer_signed_by_header(buffer, size, &payload,
&signature, the_hash_algo) <= 0)
goto out; goto out;
sigc->payload_type = SIGNATURE_PAYLOAD_COMMIT; sigc->payload_type = SIGNATURE_PAYLOAD_COMMIT;
@@ -1337,6 +1339,17 @@ int check_commit_signature(const struct commit *commit, struct signature_check *
return ret; return ret;
} }
int check_commit_signature(const struct commit *commit, struct signature_check *sigc)
{
unsigned long size;
const char *buffer = repo_get_commit_buffer(the_repository, commit, &size);
int ret = verify_commit_buffer(buffer, size, sigc);
repo_unuse_commit_buffer(the_repository, commit, buffer);
return ret;
}
void verify_merge_signature(struct commit *commit, int verbosity, void verify_merge_signature(struct commit *commit, int verbosity,
int check_trust) int check_trust)
{ {

7
commit.h
View File

@@ -333,6 +333,13 @@ int remove_signature(struct strbuf *buf);
*/ */
int check_commit_signature(const struct commit *commit, struct signature_check *sigc); int check_commit_signature(const struct commit *commit, struct signature_check *sigc);
/*
* Same as check_commit_signature() but accepts a commit buffer and
* its size, instead of a `struct commit *`.
*/
int verify_commit_buffer(const char *buffer, size_t size,
struct signature_check *sigc);
/* record author-date for each commit object */ /* record author-date for each commit object */
struct author_date_slab; struct author_date_slab;
void record_author_date(struct author_date_slab *author_date, void record_author_date(struct author_date_slab *author_date,

2
gpg-interface.c
View File

@@ -1154,6 +1154,8 @@ int parse_sign_mode(const char *arg, enum sign_mode *mode)
*mode = SIGN_WARN_STRIP; *mode = SIGN_WARN_STRIP;
else if (!strcmp(arg, "strip")) else if (!strcmp(arg, "strip"))
*mode = SIGN_STRIP; *mode = SIGN_STRIP;
else if (!strcmp(arg, "strip-if-invalid"))
*mode = SIGN_STRIP_IF_INVALID;
else else
return -1; return -1;
return 0; return 0;

1
gpg-interface.h
View File

@@ -111,6 +111,7 @@ enum sign_mode {
SIGN_VERBATIM, SIGN_VERBATIM,
SIGN_WARN_STRIP, SIGN_WARN_STRIP,
SIGN_STRIP, SIGN_STRIP,
SIGN_STRIP_IF_INVALID,
}; };
/* /*

69
t/t9305-fast-import-signatures.sh
View File

@@ -79,7 +79,7 @@ test_expect_success GPG 'setup a commit with dual OpenPGP signatures on its SHA-
echo B >explicit-sha256/B && echo B >explicit-sha256/B &&
git -C explicit-sha256 add B && git -C explicit-sha256 add B &&
test_tick && test_tick &&
git -C explicit-sha256 commit -S -m "signed" B && git -C explicit-sha256 commit -S -m "signed commit" B &&
SHA256_B=$(git -C explicit-sha256 rev-parse dual-signed) && SHA256_B=$(git -C explicit-sha256 rev-parse dual-signed) &&
# Create the corresponding SHA-1 commit # Create the corresponding SHA-1 commit
@@ -103,4 +103,71 @@ test_expect_success GPG 'strip both OpenPGP signatures with --signed-commits=war
test_line_count = 2 out test_line_count = 2 out
' '
test_expect_success GPG 'import commit with no signature with --signed-commits=strip-if-invalid' '
git fast-export main >output &&
git -C new fast-import --quiet --signed-commits=strip-if-invalid <output >log 2>&1 &&
test_must_be_empty log
'
test_expect_success GPG 'keep valid OpenPGP signature with --signed-commits=strip-if-invalid' '
rm -rf new &&
git init new &&
git fast-export --signed-commits=verbatim openpgp-signing >output &&
git -C new fast-import --quiet --signed-commits=strip-if-invalid <output >log 2>&1 &&
IMPORTED=$(git -C new rev-parse --verify refs/heads/openpgp-signing) &&
test $OPENPGP_SIGNING = $IMPORTED &&
git -C new cat-file commit "$IMPORTED" >actual &&
test_grep -E "^gpgsig(-sha256)? " actual &&
test_must_be_empty log
'
test_expect_success GPG 'strip signature invalidated by message change with --signed-commits=strip-if-invalid' '
rm -rf new &&
git init new &&
git fast-export --signed-commits=verbatim openpgp-signing >output &&
# Change the commit message, which invalidates the signature.
# The commit message length should not change though, otherwise the
# corresponding `data <length>` command would have to be changed too.
sed "s/OpenPGP signed commit/OpenPGP forged commit/" output >modified &&
git -C new fast-import --quiet --signed-commits=strip-if-invalid <modified >log 2>&1 &&
IMPORTED=$(git -C new rev-parse --verify refs/heads/openpgp-signing) &&
test $OPENPGP_SIGNING != $IMPORTED &&
git -C new cat-file commit "$IMPORTED" >actual &&
test_grep ! -E "^gpgsig" actual &&
test_grep "stripping invalid signature" log
'
test_expect_success GPGSM 'keep valid X.509 signature with --signed-commits=strip-if-invalid' '
rm -rf new &&
git init new &&
git fast-export --signed-commits=verbatim x509-signing >output &&
git -C new fast-import --quiet --signed-commits=strip-if-invalid <output >log 2>&1 &&
IMPORTED=$(git -C new rev-parse --verify refs/heads/x509-signing) &&
test $X509_SIGNING = $IMPORTED &&
git -C new cat-file commit "$IMPORTED" >actual &&
test_grep -E "^gpgsig(-sha256)? " actual &&
test_must_be_empty log
'
test_expect_success GPGSSH 'keep valid SSH signature with --signed-commits=strip-if-invalid' '
rm -rf new &&
git init new &&
test_config -C new gpg.ssh.allowedSignersFile "${GPGSSH_ALLOWED_SIGNERS}" &&
git fast-export --signed-commits=verbatim ssh-signing >output &&
git -C new fast-import --quiet --signed-commits=strip-if-invalid <output >log 2>&1 &&
IMPORTED=$(git -C new rev-parse --verify refs/heads/ssh-signing) &&
test $SSH_SIGNING = $IMPORTED &&
git -C new cat-file commit "$IMPORTED" >actual &&
test_grep -E "^gpgsig(-sha256)? " actual &&
test_must_be_empty log
'
test_done test_done