Re: t7510-signed-commit.sh hangs on old gpg, regression in 1bfb57f642d (was: [PATCH v8 9/9] ssh signing: test that gpg fails for unknown keys)

[Fabian Stelzer <fs@gigacodes.de>]

On 26.12.2021 23:53, Ævar Arnfjörð Bjarmason wrote:
>>
>> Hm. I have an identical centos 7.9 installation (same
>> versions/features) and the key is generated without issues. Does the
>> VM maybe have not enough entropy for generating a gpg key?
>> Otherwise we could of course pre-generate the key and commit it. I'm
>> usually not a fan of this since over time it can become unclear how it
>> was generated or if the committed version still matches what would be
>> generated today.
>> But of course I don't want to slow down CI with rsa key generation stuff :/
>> If missing entropy is the problem, then maybe CI could benefit from
>> something like haveged in general (other tests might want more entropy
>> too).
>
>Late reply. It's not a VM, but yes. I've confirmed that it's due to
>/dev/random hanging.
>
>I don't understand why we need to generate a key at all.

You are right, we don't need to. I initially toyed with the GPG commands to 
disable/export/reimport a key but without success (I'm not terribly familiar 
with GPG though). 

>
>It looks like your 1bfb57f642d (ssh signing: test that gpg fails for
>unknown keys, 2021-09-10) is just trying to test the case where we sign
>with a key, and then don't have that key anymore.
>

It tests verifying a commit for which the key is not in our keyring at all.  
All the other tests only use present keys (with varying trust levels) or 
completely unsigned commits for the failure check. 

I think we could do the following though and simply point git to an empty 
keyring to be able to verify this:

diff --git a/t/t7510-signed-commit.sh b/t/t7510-signed-commit.sh
index 9882b69ae2..2d38580847 100755
--- a/t/t7510-signed-commit.sh
+++ b/t/t7510-signed-commit.sh
@@ -71,25 +71,7 @@ test_expect_success GPG 'create signed commits' '
  	git tag eleventh-signed $(cat oid) &&
  	echo 12 | git commit-tree --gpg-sign=B7227189 HEAD^{tree} >oid &&
  	test_line_count = 1 oid &&
-	git tag twelfth-signed-alt $(cat oid) &&
-
-	cat >keydetails <<-\EOF &&
-	Key-Type: RSA
-	Key-Length: 2048
-	Subkey-Type: RSA
-	Subkey-Length: 2048
-	Name-Real: Unknown User
-	Name-Email: unknown@git.com
-	Expire-Date: 0
-	%no-ask-passphrase
-	%no-protection
-	EOF
-	gpg --batch --gen-key keydetails &&
-	echo 13 >file && git commit -a -S"unknown@git.com" -m thirteenth &&
-	git tag thirteenth-signed &&
-	DELETE_FINGERPRINT=$(gpg -K --with-colons --fingerprint --batch unknown@git.com | grep "^fpr" | head -n 1 | awk -F ":" "{print \$10;}") &&
-	gpg --batch --yes --delete-secret-keys $DELETE_FINGERPRINT &&
-	gpg --batch --yes --delete-keys unknown@git.com
+	git tag twelfth-signed-alt $(cat oid)
  '
  
  test_expect_success GPG 'verify and show signatures' '
@@ -129,7 +111,7 @@ test_expect_success GPG 'verify and show signatures' '
  '
  
  test_expect_success GPG 'verify-commit exits failure on unknown signature' '
-	test_must_fail git verify-commit thirteenth-signed 2>actual &&
+	GNUPGHOME=./empty_home test_must_fail git verify-commit initial 2>actual &&
  	! grep "Good signature from" actual &&
  	! grep "BAD signature from" actual &&
  	grep -q -F -e "No public key" -e "public key not found" actual