summaryrefslogtreecommitdiff
path: root/t/lib-gpg.sh
AgeCommit message (Collapse)AuthorFilesLines
2021-12-21Merge branch 'fs/ssh-signing-other-keytypes'Libravatar Junio C Hamano1-0/+3
The cryptographic signing using ssh keys can specify literal keys for keytypes whose name do not begin with the "ssh-" prefix by using the "key::" prefix mechanism (e.g. "key::ecdsa-sha2-nistp256"). * fs/ssh-signing-other-keytypes: ssh signing: make sign/amend test more resilient ssh signing: support non ssh-* keytypes
2021-12-09ssh signing: verify ssh-keygen in test prereqLibravatar Fabian Stelzer1-13/+40
Do a full ssh signing, find-principals and verify operation in the test prereq's to make sure ssh-keygen works as expected. Only generating the keys and verifying its presence is not sufficient in some situations. One example was ssh-keygen creating unusable ssh keys in cygwin because of unsafe default permissions for the key files. The other a broken openssh 8.7 that segfaulted on any find-principals operation. This extended prereq check avoids future test breakages in case ssh-keygen or any environment behaviour changes. Signed-off-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-12-09ssh signing: add key lifetime test prereqsLibravatar Fabian Stelzer1-1/+18
if ssh-keygen supports -Overify-time, add test keys marked as expired, not yet valid and valid both within the test_tick timeframe and outside of it. Signed-off-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-11-19ssh signing: support non ssh-* keytypesLibravatar Fabian Stelzer1-0/+3
The user.signingKey config for ssh signing supports either a path to a file containing the key or for the sake of convenience a literal string with the ssh public key. To differentiate between those two cases we check if the first few characters contain "ssh-" which is unlikely to be the start of a path. ssh supports other key types which are not prefixed with "ssh-" and will currently be treated as a file path and therefore fail to load. To remedy this we move the prefix check into its own function and introduce the prefix `key::` for literal ssh keys. This way we don't need to add new key types when they become available. The existing `ssh-` prefix is retained for compatibility with current user configs but removed from the official documentation to discourage its use. Signed-off-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-11-10Merge branch 'jk/ssh-signing-fix'Libravatar Junio C Hamano1-0/+6
Reject OpenSSH 8.7 whose "ssh-keygen -Y find-principals" is unusable from running the ssh signature tests. * jk/ssh-signing-fix: t/lib-gpg: avoid broken versions of ssh-keygen
2021-11-10t/lib-gpg: avoid broken versions of ssh-keygenLibravatar Jeff King1-0/+6
The "-Y find-principals" option of ssh-keygen seems to be broken in Debian's openssh-client 1:8.7p1-1, whereas it works fine in 1:8.4p1-5. This causes several failures for GPGSSH tests. We fulfill the prerequisite because generating the keys works fine, but actually verifying a signature causes results ranging from bogus results to ssh-keygen segfaulting. We can find the broken version during the prereq check by feeding it empty input. This should result in it complaining to stderr, but in the broken version it triggers the segfault, causing the GPGSSH tests to be skipped. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-11-05t/lib-git.sh: fix ACL-related permissions failureLibravatar Adam Dinwoodie1-0/+1
As well as checking that the relevant functionality is available, the GPGSSH prerequisite check creates the SSH keys that are used by the test functions it gates. If these keys are created in a directory that has a default Access Control List, the key files can inherit those permissions. This can result in a scenario where the private keys are created successfully, so the prerequisite check passes and the tests are run, but the key files have permissions that are too permissive, meaning OpenSSH will refuse to load them and the tests will fail. To avoid this happening, before creating the keys, clear any default ACL set on the directory that will contain them. This step allowed to fail; if setfacl isn't present, that's a very likely indicator that the filesystem in question simply doesn't support default ACLs. Helped-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Adam Dinwoodie <adam@dinwoodie.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2021-09-10ssh signing: add test prereqsLibravatar Fabian Stelzer1-0/+28
Generate some ssh keys and a allowedSignersFile for testing Signed-off-by: Fabian Stelzer <fs@gigacodes.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-04-22Merge branch 'jk/test-cleanup'Libravatar Junio C Hamano1-0/+0
Test cleanup. * jk/test-cleanup: t/lib-*.sh: drop executable bit t/lib-credential.sh: drop shebang line
2020-03-27t/lib-*.sh: drop executable bitLibravatar Jeff King1-0/+0
There's no need for shell libraries to have the executable bit. They're meant to be sourced, and running them stand-alone is pointless. Let's reduce any possible confusion by making it more clear they're not meant to be run this way. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-03-26tests: increase the verbosity of the GPG-related prereqsLibravatar Johannes Schindelin1-14/+14
Especially when debugging a test failure that can only be reproduced in the CI build (e.g. when the developer has no access to a macOS machine other than running the tests on a macOS build agent), output should not be suppressed. In the instance of `hi/gpg-prefer-check-signature`, where one GPG-related test failed for no apparent reason, the entire output of `gpg` and `gpgsm` was suppressed, even in verbose mode, leaving interested readers no clue what was going wrong. Let's fix this by no longer redirecting the output not to `/dev/null`. This is now possible because the affected prereqs were turned into lazy ones (and are therefore evaluated via `test_eval_` which respects the `--verbose` option). Note that we _still_ redirect `stdout` to `/dev/null` for those commands that sign their `stdin`, as the output would be binary (and useless anyway, because the reader would not have anything against which to compare the output). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-03-26tests: turn GPG, GPGSM and RFC1991 into lazy prereqsLibravatar Johannes Schindelin1-45/+57
The code to set those prereqs is executed completely outside of any `test_eval_` block. As a consequence, its output had to be suppressed so that it does not clutter the output of a regular test script run. Unfortunately, the output *stays* suppressed even when the `--verbose` option is in effect. This hid important output when debugging why the GPG prereq was not enabled in the Windows part of our CI builds. In preparation for fixing that, let's move all of this code into lazy prereqs. The only slightly tricky part is the global environment variable `GNUPGHOME`. Originally, it was configured only when we verified that there is a `gpg` in the `PATH` that we can use. This is now no longer possible, as lazy prereqs are evaluated in a subshell that changes the working directory to a temporary one. Therefore, we simply _always_ set that environment variable: it does not hurt anything because it does not indicate the presence of a working GPG. Side note: it was quite tempting to use a hack that is possible because we do not validate what is passed to `test_lazy_prereq` (and it is therefore possible to "break out" of the lazy_prereq subshell: test_lazy_prereq GPG '...) && GNUPGHOME=... && (...' However, this is rather tricksy hobbitses code, and the current patch is _much_ easier to understand. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-03-26t/lib-gpg.sh: stop pretending to be a stand-alone scriptLibravatar Johannes Schindelin1-2/+0
It makes no sense to call `./lib-gpg.sh`. Therefore the hash-bang line is unnecessary. There are other similar instances in `t/`, but they are too far from the context of the enclosing patch series, so they will be addressed separately. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2020-03-25tests(gpg): allow the gpg-agent to start on WindowsLibravatar Johannes Schindelin1-1/+1
In Git for Windows' SDK, we use the MSYS2 version of OpenSSH, meaning that the `gpg-agent` will fail horribly when being passed a `--homedir` that contains colons. Previously, we did pass the Windows version of the absolute path, though, which starts in the drive letter followed by, you guessed it, a colon. Let's use the same trick found elsewhere in our test suite where `$PWD` is used to refer to the pseudo-Unix path (which works only within the MSYS2 Bash/OpenSSH/Perl/etc, as opposed to `$(pwd)` which refers to the Windows path that `git.exe` understands, too). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-02-08Merge branch 'tz/gpg-test-fix'Libravatar Junio C Hamano1-2/+1
Test fix. * tz/gpg-test-fix: t/lib-gpg: drop redundant killing of gpg-agent t/lib-gpg: quote path to ${GNUPGHOME}/trustlist.txt
2019-02-08t/lib-gpg: drop redundant killing of gpg-agentLibravatar Todd Zullinger1-1/+0
In 53fc999306 ("gpg-interface t: extend the existing GPG tests with GPGSM", 2018-07-20), the gpgconf call which kills gpg-agent was copied from the existing gpg setup code. The reason for killing gpg-agent is given in 29ff1f8f74 ("t: lib-gpg: flush gpg agent on startup", 2017-07-20): When running gpg-relevant tests, a gpg-daemon is spawned for each GNUPGHOME used. This daemon may stay running after the test and cache file descriptors for the trash directories, even after the trash directory is removed. This leads to ENOENT errors when attempting to create files if tests are run multiple times. Add a cleanup script to force flushing the gpg-agent for that GNUPGHOME (if any) before setting up the GPG relevant-environment. Killing gpg-agent once per test is sufficient. Signed-off-by: Todd Zullinger <tmz@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-02-08t/lib-gpg: quote path to ${GNUPGHOME}/trustlist.txtLibravatar Todd Zullinger1-1/+1
When gpgsm is installed, lib-gpg.sh attempts to update trustlist.txt to relax the checking of some root certificate requirements. The path to "${GNUPGHOME}" contains spaces which cause an "ambiguous redirect" warning when bash is used to run the tests: $ bash t7030-verify-tag.sh /git/t/lib-gpg.sh: line 66: ${GNUPGHOME}/trustlist.txt: ambiguous redirect ok 1 - create signed tags ok 2 # skip create signed tags x509 (missing GPGSM) ... No warning is issued when using bash called as /bin/sh, dash, or mksh. Quote the path to ensure the redirect works as intended and sets the GPGSM prereq. While we're here, drop the space after ">>". Signed-off-by: Todd Zullinger <tmz@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-10-07tests: standardize pipe placementLibravatar Matthew DeVore1-3/+6
Instead of using a line-continuation and pipe on the second line, take advantage of the shell's implicit line continuation after a pipe character. So for example, instead of some long line \ | next line use some long line | next line And add a blank line before and after the pipe where it aids readability (it usually does). This better matches the coding style documented in Documentation/CodingGuidelines and used in shell scripts elsewhere in the tree. Signed-off-by: Matthew DeVore <matvore@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2018-07-20gpg-interface t: extend the existing GPG tests with GPGSMLibravatar Henning Schild1-1/+27
Add test cases to cover the new X509/gpgsm support. Most of them resemble existing ones. They just switch the format to x509 and set the signingkey when creating signatures. Validation of signatures does not need any configuration of git, it does need gpgsm to be configured to trust the key(-chain). Several of the testcases build on top of existing gpg testcases. The commit ships a self-signed key for committer@example.com and configures gpgsm to trust it. Signed-off-by: Henning Schild <henning.schild@siemens.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-11-14t/lib-gpg: fix gpgconf stderr redirect to /dev/nullLibravatar Todd Zullinger1-1/+1
In 29ff1f8f74 (t: lib-gpg: flush gpg agent on startup, 2017-07-20), a call to gpgconf was added to kill the gpg-agent. The intention was to ignore all output from the call, but the order of the redirection needs to be switched to ensure that both stdout and stderr are redirected to /dev/null. Without this, gpgconf from gnupg-2.0 releases would output 'gpgconf: invalid option "--kill"' each time it was called. Signed-off-by: Todd Zullinger <tmz@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-07-20t: lib-gpg: flush gpg agent on startupLibravatar Santiago Torres1-0/+1
When running gpg-relevant tests, a gpg-daemon is spawned for each GNUPGHOME used. This daemon may stay running after the test and cache file descriptors for the trash directories, even after the trash directory is removed. This leads to ENOENT errors when attempting to create files if tests are run multiple times. Add a cleanup script to force flushing the gpg-agent for that GNUPGHOME (if any) before setting up the GPG relevant-environment. Helped-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: Santiago Torres <santiago@nyu.edu> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-03-06lib-gpg: drop unnecessary "missing GPG" warningLibravatar Eric Sunshine1-3/+2
When 37d3e85 (t7004: factor out gpg setup, 2011-09-07) pulled gpg detection code out of t7004-tag.sh and turned it into a standard test prerequisite, it added an unconditional "missing GPG" warning when gpg is not detected. However, this is redundant since all tests which require GPG already warn via either 'test_expect_success GPG' ("skipping: missing GPG") on a test-by-test basis, or when skipping all tests in a script ("skipping all foobar tests; missing GPG"). Consequently, the extra warning from lib-gpg.sh is unnecessary, so retire it. Signed-off-by: Eric Sunshine <sunshine@sunshineco.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-01-29t/lib-gpg: sanity-check that we can actually signLibravatar Jeff King1-0/+2
Some older versions of gpg (reportedly v1.2.6 from RHEL4) cannot import the keyrings found in our test suite, and thus cannot even make a signature. The previous change works it around, but we cannot anticipate breakages update to GPG would cause in the future. Do a test-sign before declaring the GPG prerequisite fulfilled to future-proof our tests. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-01-29t/lib-gpg: include separate public keys in keyring.gpgLibravatar Jeff King1-0/+2
Since 1e3eefb (tests: replace binary GPG keyrings with ASCII-armored keys, 2014-12-12), we import our test GPG keys from a single file. Each keypair in the import stream contains both the secret and public keys. However, older versions of gpg reportedly fail to import the public half of the key. We can solve this by including duplicates of the public keys separately. The duplicates are ignored by modern gpg, and this makes older versions work. Reported by Tom G. Christensen <tgc@statsbiblioteket.dk> on gpg 1.2.6 (from RHEL4). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-16tests: make comment on GPG keyring match the codeLibravatar Christian Hesse1-3/+13
GnuPG homedir is generated on the fly and keys are imported from armored key file. Make comment match available key info and new key generation procedure. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12tests: squelch noise from GPG machinery set-upLibravatar Junio C Hamano1-12/+14
It is distracting to let the GPG message while setting up the test gpghome leak into the test output, especially without running these tests with "-v" option. The splitting of RFC1991 prerequiste part is about future-proofing. When we want to define other kinds of specific prerequisites in the future, we'd prefer to see it done separately from the basic set-up code. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12tests: replace binary GPG keyrings with ASCII-armored keysLibravatar Christian Hesse1-2/+1
Importing PGP key public and security ring works, but we do not have all secret keys in one binary blob and all public keys in another. Instead import public and secret keys for one key pair from a text file that holds ASCII-armored export of them. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12tests: skip RFC1991 tests for gnupg 2.1Libravatar Christian Hesse1-0/+4
GnuPG >= 2.1.0 no longer supports RFC1991, so skip these tests. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-12-12tests: create gpg homedir on the flyLibravatar Christian Hesse1-3/+7
GnuPG 2.1 homedir looks different, so just create it on the fly by importing needed private and public keys and ownertrust. This solves an issue with gnupg 2.1 running interactive pinentry when old secret key is present. Signed-off-by: Christian Hesse <mail@eworm.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-10-29Merge branch 'mg/lib-gpg-ro-safety'Libravatar Junio C Hamano1-0/+1
In a tarball extract whose files are all read-only, running GPG tests would have failed due to unwritable files. * mg/lib-gpg-ro-safety: t/lib-gpg: make gpghome files writable
2014-10-27t/lib-gpg: make gpghome files writableLibravatar Michael J Gruber1-0/+1
t/lib-gpg.sh copies the test environment's gpg home to the trash directory and makes sure the directoty is writable. Make sure the copied files are writable, too. Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2014-04-23lib-gpg.sh: use the $( ... ) construct for command substitutionLibravatar Elia Pinto1-1/+1
The Git CodingGuidelines prefer the $(...) construct for command substitution instead of using the backquotes `...`. The backquoted form is the traditional method for command substitution, and is supported by POSIX. However, all but the simplest uses become complicated quickly. In particular, embedded command substitutions and/or the use of double quotes require careful escaping with the backslash character. The patch was generated by: for _f in $(find . -name "*.sh") do sed -i 's@`\(.*\)`@$(\1)@g' ${_f} done and then carefully proof-read. Signed-off-by: Elia Pinto <gitter.spiros@gmail.com> Reviewed-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-08for-each-ref: add split message parts to %(contents:*).Libravatar Michał Górny1-0/+8
The %(body) placeholder returns the whole body of a tag or commit, including the signature. However, callers may want to get just the body without signature, or just the signature. Rather than change the meaning of %(body), which might break some scripts, this patch introduces a new set of placeholders which break down the %(contents) placeholder into its constituent parts. [jk: initial patch by mg, rebased on top of my refactoring and with tests by me] Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2011-09-08t7004: factor out gpg setupLibravatar Jeff King1-0/+26
Other test scripts may want to look at or verify signed tags, and the setup is non-trivial. Let's factor this out into lib-gpg.sh for other tests to use. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>