summaryrefslogtreecommitdiff
path: root/Documentation
diff options
context:
space:
mode:
authorLibravatar Michał Górny <mgorny@gentoo.org>2018-10-20 21:30:20 +0200
committerLibravatar Junio C Hamano <gitster@pobox.com>2018-10-22 12:42:30 +0900
commitda6cf1b3360eefdce3dbde7632eca57177327f37 (patch)
treea1105c58db7deb0adc220b7cb9f050a35fa05361 /Documentation
parentGit 2.19.1 (diff)
downloadtgif-da6cf1b3360eefdce3dbde7632eca57177327f37.tar.xz
gpg-interface.c: detect and reject multiple signatures on commits
GnuPG supports creating signatures consisting of multiple signature packets. If such a signature is verified, it outputs all the status messages for each signature separately. However, git currently does not account for such scenario and gets terribly confused over getting multiple *SIG statuses. For example, if a malicious party alters a signed commit and appends a new untrusted signature, git is going to ignore the original bad signature and report untrusted commit instead. However, %GK and %GS format strings may still expand to the data corresponding to the original signature, potentially tricking the scripts into trusting the malicious commit. Given that the use of multiple signatures is quite rare, git does not support creating them without jumping through a few hoops, and finally supporting them properly would require extensive API improvement, it seems reasonable to just reject them at the moment. Signed-off-by: Michał Górny <mgorny@gentoo.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation')
0 files changed, 0 insertions, 0 deletions