Best IT Recipes

Is signing git confirmation complete?

With newer versions of git you can sign individual commits (in addition to tags) using the PGP key:

 git commit -m "some message" -S

And you can show these signatures in git log output with the --show-signature option:

 $ git log --show-signature commit 93bd0a7529ef347f8dbca7efde43f7e99ab89515 gpg: Signature made Fri 28 Jun 2013 02:28:41 PM EDT using RSA key ID AC1964A8 gpg: Good signature from "Lars Kellogg-Stedman <lars@seas.harvard.edu>" Author: Lars Kellogg-Stedman <lars@seas.harvard.edu> Date: Fri Jun 28 14:28:41 2013 -0400 this is a test

But is there a way to programmatically verify the signature on this command, other than grepping the output of git log ? I am looking for the equivalent of a git tag -v commit - that would provide an exit code indicating whether there was a valid signature on the given commit.

+43
git
Jun 28 '13 at 19:09
source share
3 answers

Just in case, someone comes to this page through a search engine, like me: new tools have been available for two years since the question was git verify-commit : now there are git commands for this task: git verify-commit and git verify-tag can be used to check commits and tags, respectively.

+52
May 14 '15 at 11:44
source share

Note: prior to git 2.5, git verify-commit and git verify-tag , only a read message is displayed.
If you want to automate validation, git 2.6+ (Q3 2015) adds a different result.

See commit e18443e , commit aeff29d , commit ca194d5 , commit 434060e , commit 8e98e5f , commit a4cc18f , commit d66aeff (June 21, 2015) brian m. carlson ( bk2204 ) .
(merger of Junio ​​C Hamano - gitster - on commit ba12cb2 , August 03, 2015)

verify-tag / verify-commit : add a parameter to print gpg status information

verify-tag / verify-commit by default displays human verify-commit text with a standard error.
However, it can also be useful to access the raw gpg state information, which is machine readable, allowing automatic implementation of the signature policy .

Add the --raw option to verify-tag to display gpg status information for a standard error and not for a human-readable format.

A plus:

verify-tag succeeds if the signature is good, but the key is unreliable. verify-commit fails.
This discrepancy in behavior is unexpected and undesirable.
Since verify-tag existed previously, add a failed test to have verify-commit share verify-tag behavior.



git 2.9 (June 2016) update the git merge file :

See commit 05a5869 (May 13, 2016) Keller Fuchs (``) .
Assistant: Junior With Hamano ( gitster ) .
(the merger of Junio ​​With Hamano - gitster - on commit be6ec17 , May 17, 2016)

 --verify-signatures: --no-verify-signatures:

Make sure the commit tip of the merged branch is signed with a valid key, that is, a key that has a valid uid: in the default trust model, this means that the signature key was signed with a trusted key.
If the fixation of the side branch tip is not signed with a valid key, the merge is canceled .



Git 2.10 update (Q3 2016)

See commit b624a3e (August 16, 2016) Linus Torvalds .
(merged Junio ​​C Hamano - gitster - into commit 83d9eb0 , August 19, 2016)

gpg-interface : prefers "long" output of key format when checking pgp signatures

" git log --show-signature " and other commands that display the PGP signature verification status now show a longer identifier key, since the 32-bit identifier key is the last century.

The original Linus has been reinstalled to apply to the service track, just in case binary distributors who are stuck in the past want to take it to their older code base.



git 2.11+ (Q4 2016) will be even more accurate.

See commit 661a180 (October 12, 2016) by Michael J Gruber ( mjg ) .
(merger of Junio ​​C Hamano - gitster - on commit 56d268b , October 26, 2016

The GPG verification state specified in the %G? Specifier of a rather large size is not rich enough to differentiate a signature made with an expired key, a signature made with a canceled key, etc.
New output letters are assigned to express them .

According to gpg2 doc/DETAILS :

Only one of the GOODSIG , BADSIG , EXPSIG , EXPKEYSIG , REVKEYSIG or ERRSIG codes GOODSIG be BADSIG for each signature.

git pretty-format documentation now includes:

  • ' %G? ': show
    • " G " for a good (valid) signature,
    • " B " for a bad signature,
    • " U " for a good signature with unknown credibility,
    • " X " for a good signature that has expired,
    • " Y " for a good signature made by the expired key,
    • " R " for a good signature made by a revoked key,
    • " E " if the signature cannot be verified (for example, a missing key) and "N" for the absence of a signature


git 2.12 (Q1 2017) " git tag " and " git verify-tag " learned how to put GPG check status in output format <<243> .

See commit 4fea72f , commit 02c5433 , commit ff3c8c8 (January 17, 2017) Santiago Torres .
See commit 07d347c , commit 2111aa7 , commit 94240b9 (January 17, 2017) Lucas Puhringer (``) .
(merged Junio ​​C Hamano - gitster - to commit 237bdd9 , January 31, 2017)

Adding --format to git tag -v disables the default GPG output and prints a formatted tag object instead.
This allows subscribers to cross-check the tag from refs / tags using the tag from the tag object header when checking GPG.



git 2.16 (Q1 2018) will further automate verification of the commit signature with the merge.verifySignatures configuration merge.verifySignatures .

See commit 7f8ca20 , commit ca779e8 (December 10, 2017) Hans Jerry Illikainen (``) .
(merged Junio ​​C Hamano - gitster - in commit 0433d53 , December 28, 2017

merge : add a configuration option for verifySignatures

git merge --verify-signatures can be used to verify that the commit tip of the attached branch is correctly signed, but it is cumbersome to have to indicate this every time.

Add a configuration parameter that by default enables this behavior, which can be overridden with --no-verify-signatures .

git merge config command now reads:

 merge.verifySignatures:

If true, this is equivalent to the --verify-signatures command line option.

+11
Aug 16 '15 at 18:58
source share

A quick look at the code suggests that there is no such direct method.

All tests in the git source rely on grep ping the output of git show (see t / t7510-signed-commit.sh for tests).

You can customize the output using something like --pretty "%H %G?%" To simplify parsing.

It seems you can ask git merge to verify the signature, but again, its tests rely on grep (see t / t7612-merge-verify-signatures.sh ). This seems like an invalid signature will cause git merge to end with bad signature, so you could hack it today by doing a test merge somewhere and throwing that merge away, but that seems worse than just calling grep.

+4
Jun 28 '13 at 19:40
source share


More articles:


All Articles