summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--builtin/merge.c30
-rw-r--r--builtin/pull.c11
-rw-r--r--commit.c26
-rw-r--r--commit.h8
-rwxr-xr-xt/t5573-pull-verify-signatures.sh7
-rwxr-xr-xt/t7612-merge-verify-signatures.sh7
6 files changed, 64 insertions, 25 deletions
diff --git a/builtin/merge.c b/builtin/merge.c
index adb0402e84..c3c976d471 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1337,6 +1337,10 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
die(_("%s - not something we can merge"), argv[0]);
if (remoteheads->next)
die(_("Can merge only exactly one commit into empty head"));
+
+ if (verify_signatures)
+ verify_merge_signature(remoteheads->item, verbosity);
+
remote_head_oid = &remoteheads->item->object.oid;
read_empty(remote_head_oid, 0);
update_ref("initial pull", "HEAD", remote_head_oid, NULL, 0,
@@ -1358,31 +1362,7 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
if (verify_signatures) {
for (p = remoteheads; p; p = p->next) {
- struct commit *commit = p->item;
- char hex[GIT_MAX_HEXSZ + 1];
- struct signature_check signature_check;
- memset(&signature_check, 0, sizeof(signature_check));
-
- check_commit_signature(commit, &signature_check);
-
- find_unique_abbrev_r(hex, &commit->object.oid, DEFAULT_ABBREV);
- switch (signature_check.result) {
- case 'G':
- break;
- case 'U':
- die(_("Commit %s has an untrusted GPG signature, "
- "allegedly by %s."), hex, signature_check.signer);
- case 'B':
- die(_("Commit %s has a bad GPG signature "
- "allegedly by %s."), hex, signature_check.signer);
- default: /* 'N' */
- die(_("Commit %s does not have a GPG signature."), hex);
- }
- if (verbosity >= 0 && signature_check.result == 'G')
- printf(_("Commit %s has a good GPG signature by %s\n"),
- hex, signature_check.signer);
-
- signature_check_clear(&signature_check);
+ verify_merge_signature(p->item, verbosity);
}
}
diff --git a/builtin/pull.c b/builtin/pull.c
index c21aa276f1..1b90622b13 100644
--- a/builtin/pull.c
+++ b/builtin/pull.c
@@ -557,6 +557,17 @@ static int run_fetch(const char *repo, const char **refspecs)
static int pull_into_void(const struct object_id *merge_head,
const struct object_id *curr_head)
{
+ if (opt_verify_signatures) {
+ struct commit *commit;
+
+ commit = lookup_commit(the_repository, merge_head);
+ if (!commit)
+ die(_("unable to access commit %s"),
+ oid_to_hex(merge_head));
+
+ verify_merge_signature(commit, opt_verbosity);
+ }
+
/*
* Two-way merge: we treat the index as based on an empty tree,
* and try to fast-forward to HEAD. This ensures we will not lose
diff --git a/commit.c b/commit.c
index bee7b7b62e..d13a7bc374 100644
--- a/commit.c
+++ b/commit.c
@@ -1099,7 +1099,33 @@ int check_commit_signature(const struct commit *commit, struct signature_check *
return ret;
}
+void verify_merge_signature(struct commit *commit, int verbosity)
+{
+ char hex[GIT_MAX_HEXSZ + 1];
+ struct signature_check signature_check;
+ memset(&signature_check, 0, sizeof(signature_check));
+
+ check_commit_signature(commit, &signature_check);
+
+ find_unique_abbrev_r(hex, &commit->object.oid, DEFAULT_ABBREV);
+ switch (signature_check.result) {
+ case 'G':
+ break;
+ case 'U':
+ die(_("Commit %s has an untrusted GPG signature, "
+ "allegedly by %s."), hex, signature_check.signer);
+ case 'B':
+ die(_("Commit %s has a bad GPG signature "
+ "allegedly by %s."), hex, signature_check.signer);
+ default: /* 'N' */
+ die(_("Commit %s does not have a GPG signature."), hex);
+ }
+ if (verbosity >= 0 && signature_check.result == 'G')
+ printf(_("Commit %s has a good GPG signature by %s\n"),
+ hex, signature_check.signer);
+ signature_check_clear(&signature_check);
+}
void append_merge_tag_headers(struct commit_list *parents,
struct commit_extra_header ***tail)
diff --git a/commit.h b/commit.h
index 03ab19508f..98664536cb 100644
--- a/commit.h
+++ b/commit.h
@@ -340,6 +340,14 @@ void record_author_date(struct author_date_slab *author_date,
struct commit *commit);
int compare_commits_by_author_date(const void *a_, const void *b_, void *unused);
+
+/*
+ * Verify a single commit with check_commit_signature() and die() if it is not
+ * a good signature. This isn't really suitable for general use, but is a
+ * helper to implement consistent logic for pull/merge --verify-signatures.
+ */
+void verify_merge_signature(struct commit *commit, int verbose);
+
int compare_commits_by_commit_date(const void *a_, const void *b_, void *unused);
int compare_commits_by_gen_then_commit_date(const void *a_, const void *b_, void *unused);
diff --git a/t/t5573-pull-verify-signatures.sh b/t/t5573-pull-verify-signatures.sh
index 747775c147..3e9876e197 100755
--- a/t/t5573-pull-verify-signatures.sh
+++ b/t/t5573-pull-verify-signatures.sh
@@ -78,4 +78,11 @@ test_expect_success GPG 'pull commit with bad signature with --no-verify-signatu
git pull --ff-only --no-verify-signatures bad 2>pullerror
'
+test_expect_success GPG 'pull unsigned commit into unborn branch' '
+ git init empty-repo &&
+ test_must_fail \
+ git -C empty-repo pull --verify-signatures .. 2>pullerror &&
+ test_i18ngrep "does not have a GPG signature" pullerror
+'
+
test_done
diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh
index e2b1df817a..d99218a725 100755
--- a/t/t7612-merge-verify-signatures.sh
+++ b/t/t7612-merge-verify-signatures.sh
@@ -103,4 +103,11 @@ test_expect_success GPG 'merge commit with bad signature with merge.verifySignat
git merge --no-verify-signatures $(cat forged.commit)
'
+test_expect_success GPG 'merge unsigned commit into unborn branch' '
+ test_when_finished "git checkout initial" &&
+ git checkout --orphan unborn &&
+ test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
+ test_i18ngrep "does not have a GPG signature" mergeerror
+'
+
test_done