From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Felix Eckhofer <felix@eckhofer.com>, Junio C Hamano <gitster@pobox.com>
Subject: [PATCH 2/3] merge: handle --verify-signatures for unborn branch
Date: Tue, 6 Nov 2018 02:51:15 -0500 [thread overview]
Message-ID: <20181106075115.GB22021@sigill.intra.peff.net> (raw)
In-Reply-To: <20181106074910.GA31978@sigill.intra.peff.net>
When git-merge sees that we are on an unborn branch (i.e., there is no
HEAD), it follows a totally separate code path than the usual merge
logic. This code path does not know about verify_signatures, and so we
fail to notice bad or missing signatures.
This has been broken since --verify-signatures was added in efed002249
(merge/pull: verify GPG signatures of commits being merged, 2013-03-31).
In an ideal world, we'd unify the flow for this case with the regular
merge logic, which would fix this bug and avoid introducing similar
ones. But because the unborn case is so different, it would be a burden
on the rest of the function to continually handle the missing HEAD. So
let's just port the verification check to this special case.
Reported-by: Felix Eckhofer <felix@eckhofer.com>
Signed-off-by: Jeff King <peff@peff.net>
---
builtin/merge.c | 4 ++++
t/t7612-merge-verify-signatures.sh | 7 +++++++
2 files changed, 11 insertions(+)
diff --git a/builtin/merge.c b/builtin/merge.c
index c677f9375e..be156b122d 100644
--- a/builtin/merge.c
+++ b/builtin/merge.c
@@ -1336,6 +1336,10 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
die(_("%s - not something we can merge"), argv[0]);
if (remoteheads->next)
die(_("Can merge only exactly one commit into empty head"));
+
+ if (verify_signatures)
+ verify_merge_signature(remoteheads->item, verbosity);
+
remote_head_oid = &remoteheads->item->object.oid;
read_empty(remote_head_oid, 0);
update_ref("initial pull", "HEAD", remote_head_oid, NULL, 0,
diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh
index e2b1df817a..d99218a725 100755
--- a/t/t7612-merge-verify-signatures.sh
+++ b/t/t7612-merge-verify-signatures.sh
@@ -103,4 +103,11 @@ test_expect_success GPG 'merge commit with bad signature with merge.verifySignat
git merge --no-verify-signatures $(cat forged.commit)
'
+test_expect_success GPG 'merge unsigned commit into unborn branch' '
+ test_when_finished "git checkout initial" &&
+ git checkout --orphan unborn &&
+ test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
+ test_i18ngrep "does not have a GPG signature" mergeerror
+'
+
test_done
--
2.19.1.1533.g982fead9fb
next prev parent reply other threads:[~2018-11-06 7:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 7:49 [PATCH 0/3] fix pull/merge --verify-signature on an unborn branch Jeff King
2018-11-06 7:50 ` [PATCH 1/3] merge: extract verify_merge_signature() helper Jeff King
2018-11-06 7:51 ` Jeff King [this message]
2018-11-06 7:52 ` [PATCH 3/3] pull: handle --verify-signatures for unborn branch Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181106075115.GB22021@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=felix@eckhofer.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.