git-commit-vandalism/builtin
Hans Jerry Illikainen 72b006f4bf gpg-interface: prefer check_signature() for GPG verification
This commit refactors the use of verify_signed_buffer() outside of
gpg-interface.c to use check_signature() instead.  It also turns
verify_signed_buffer() into a file-local function since it's now only
invoked internally by check_signature().

There were previously two globally scoped functions used in different
parts of Git to perform GPG signature verification:
verify_signed_buffer() and check_signature().  Now only
check_signature() is used.

The verify_signed_buffer() function doesn't guard against duplicate
signatures as described by Michał Górny [1].  Instead it only ensures a
non-erroneous exit code from GPG and the presence of at least one
GOODSIG status field.  This stands in contrast with check_signature()
that returns an error if more than one signature is encountered.

The lower degree of verification makes the use of verify_signed_buffer()
problematic if callers don't parse and validate the various parts of the
GPG status message themselves.  And processing these messages seems like
a task that should be reserved to gpg-interface.c with the function
check_signature().

Furthermore, the use of verify_signed_buffer() makes it difficult to
introduce new functionality that relies on the content of the GPG status
lines.

Now all operations that does signature verification share a single entry
point to gpg-interface.c.  This makes it easier to propagate changed or
additional functionality in GPG signature verification to all parts of
Git, without having odd edge-cases that don't perform the same degree of
verification.

[1] https://dev.gentoo.org/~mgorny/articles/attack-on-git-signature-verification.html

Signed-off-by: Hans Jerry Illikainen <hji@dyntopia.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-11-30 13:52:35 -08:00
..
add.c add: error appropriately on repository with no commits 2019-04-10 12:52:50 +09:00
am.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
annotate.c
apply.c
archive.c pack-protocol.txt: accept error packets in any context 2019-01-02 13:05:30 -08:00
bisect--helper.c bisect--helper: verify HEAD could be parsed before continuing 2019-05-28 10:51:01 -07:00
blame.c Merge branch 'sg/blame-in-bare-start-at-head' 2019-04-25 16:41:21 +09:00
branch.c Merge branch 'po/doc-branch' into maint 2019-07-29 12:38:16 -07:00
bundle.c create_bundle(): drop unused "header" parameter 2019-01-24 12:35:44 -08:00
cat-file.c Merge branch 'jk/loose-object-cache-oid' 2019-02-06 22:05:27 -08:00
check-attr.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
check-ignore.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
check-mailmap.c
check-ref-format.c
checkout-index.c Merge branch 'nd/the-index-final' 2019-02-06 22:05:23 -08:00
checkout.c Merge branch 'nd/checkout-m' 2019-04-25 16:41:14 +09:00
clean.c clean: show an error message when the path is too long 2019-07-19 08:12:44 -07:00
clone.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
column.c
commit-graph.c commit-graph: collapse parameters into flags 2019-06-12 11:20:53 -07:00
commit-tree.c commit-tree: utilize parse-options api 2019-03-08 10:31:24 +09:00
commit.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
config.c Merge branch 'jk/save-getenv-result' 2019-01-29 12:47:54 -08:00
count-objects.c rename "alternate_object_database" to "object_directory" 2018-11-13 14:22:02 +09:00
credential.c
describe.c Merge branch 'ss/describe-dirty-in-the-right-directory' 2019-02-06 22:05:29 -08:00
diff-files.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
diff-index.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
diff-tree.c Merge branch 'en/combined-all-paths' 2019-03-07 09:59:54 +09:00
diff.c Merge branch 'nd/diff-parseopt-4' 2019-04-25 16:41:12 +09:00
difftool.c Merge branch 'js/difftool-no-index' 2019-05-19 16:45:35 +09:00
fast-export.c Merge branch 'en/fast-export-import' 2019-01-04 13:33:33 -08:00
fetch-pack.c fetch_pack(): drop unused parameters 2019-03-20 18:34:09 +09:00
fetch.c Merge branch 'fc/fetch-with-import-fix' into maint 2019-07-29 12:38:23 -07:00
fmt-merge-msg.c gpg-interface: prefer check_signature() for GPG verification 2019-11-30 13:52:35 -08:00
for-each-ref.c parse_opt_ref_sorting: always use with NONEG flag 2019-03-21 12:03:35 +09:00
fsck.c Merge branch 'jk/fsck-doc' 2019-03-20 15:16:06 +09:00
gc.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
get-tar-commit-id.c builtin/get-tar-commit-id: make hash size independent 2019-04-01 11:57:39 +09:00
grep.c Merge branch 'nd/the-index-final' 2019-02-06 22:05:23 -08:00
hash-object.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
help.c completion: add more parameter value completion 2019-02-20 12:31:56 -08:00
index-pack.c index-pack: prefetch missing REF_DELTA bases 2019-05-15 11:01:40 +09:00
init-db.c Merge branch 'nd/init-relative-template-fix' into maint 2019-07-25 14:27:06 -07:00
interpret-trailers.c interpret-trailers: load default config 2019-06-19 07:12:49 -07:00
log.c Merge branch 'jk/unused-params-even-more' 2019-04-25 16:41:12 +09:00
ls-files.c cleanup: fix possible overflow errors in binary search, part 2 2019-06-13 11:28:53 -07:00
ls-remote.c parse_opt_ref_sorting: always use with NONEG flag 2019-03-21 12:03:35 +09:00
ls-tree.c Merge branch 'nd/attr-pathspec-in-tree-walk' 2019-01-14 15:29:28 -08:00
mailinfo.c
mailsplit.c
merge-base.c Merge branch 'pk/rebase-in-c-4-opts' 2018-11-02 11:04:55 +09:00
merge-file.c assert NOARG/NONEG behavior of parse-options callbacks 2018-11-06 12:56:29 +09:00
merge-index.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
merge-ours.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
merge-recursive.c Merge branch 'nd/the-index-final' 2019-02-06 22:05:23 -08:00
merge-tree.c Merge branch 'nd/the-index-final' 2019-02-06 22:05:23 -08:00
merge.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
mktag.c
mktree.c builtin/mktree: remove hard-coded constant 2018-10-15 12:53:15 +09:00
multi-pack-index.c midx: pass a repository pointer 2019-05-07 13:48:41 +09:00
mv.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
name-rev.c builtin/name-rev: make hash-size independent 2019-04-01 11:57:38 +09:00
notes.c Merge branch 'nd/the-index' into md/list-objects-filter-by-depth 2019-01-15 15:38:29 -08:00
pack-objects.c Merge branch 'jk/delta-islands-progress-fix' into maint 2019-07-29 12:38:19 -07:00
pack-redundant.c object-store: rename and expand packed_git's sha1 member 2019-04-01 11:57:38 +09:00
pack-refs.c Honor core.precomposeUnicode in more places 2019-04-26 10:54:03 +09:00
patch-id.c
prune-packed.c Merge branch 'rj/prune-packed-excess-args' 2019-03-07 09:59:55 +09:00
prune.c prune: check SEEN flag for reachability 2019-02-14 15:25:33 -08:00
pull.c Merge branch 'dl/merge-cleanup-scissors-fix' 2019-05-09 00:37:24 +09:00
push.c Merge branch 'nd/style-opening-brace' 2019-01-18 13:49:52 -08:00
range-diff.c range-diff: use parse_options() instead of diff_opt_parse() 2019-03-24 22:21:24 +09:00
read-tree.c read-tree: add --quiet 2019-03-24 21:35:34 +09:00
rebase.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
receive-pack.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
reflog.c Merge branch 'jk/loose-object-cache-oid' 2019-02-06 22:05:27 -08:00
remote-ext.c
remote-fd.c
remote.c Merge branch 'ms/remote-error-message-update' 2018-09-24 10:30:52 -07:00
repack.c Merge branch 'ds/close-object-store' into maint 2019-07-29 12:38:22 -07:00
replace.c Merge branch 'cc/replace-graft-peel-tags' 2019-05-09 00:37:24 +09:00
rerere.c Merge branch 'nd/the-index' into md/list-objects-filter-by-depth 2019-01-15 15:38:29 -08:00
reset.c Merge branch 'bp/post-index-change-hook' 2019-04-25 16:41:11 +09:00
rev-list.c Merge branch 'tb/unexpected' 2019-05-09 00:37:25 +09:00
rev-parse.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00
revert.c cherry-pick/revert: add scissors line on merge conflict 2019-04-19 12:05:36 +09:00
rm.c Merge branch 'jc/denoise-rm-to-resolve' into maint 2019-07-29 12:38:17 -07:00
send-pack.c pack-protocol.txt: accept error packets in any context 2019-01-02 13:05:30 -08:00
shortlog.c Merge branch 'nd/show-gitcomp-compilation-fix' into maint 2018-12-15 12:24:33 +09:00
show-branch.c refs.c: remove the_repo from read_ref_at() 2019-04-08 17:26:33 +09:00
show-index.c
show-ref.c Merge branch 'en/unicode-in-refnames' 2019-05-19 16:45:30 +09:00
stash.c stash: fix show referencing stash index 2019-06-19 14:47:49 -07:00
stripspace.c stripspace: allow -s/-c outside git repository 2018-12-26 15:41:47 -08:00
submodule--helper.c Merge branch 'ms/submodule-foreach-fix' into maint 2019-07-29 12:38:18 -07:00
symbolic-ref.c
tag.c Merge branch 'dl/warn-tagging-a-tag' 2019-05-19 16:45:26 +09:00
unpack-file.c
unpack-objects.c convert "hashcmp() != 0" to "!hasheq()" 2018-08-29 11:32:49 -07:00
update-index.c fill_stat_cache_info(): prepare for an fsmonitor fix 2019-05-28 12:43:42 -07:00
update-ref.c update-ref: allow --no-deref with --stdin 2018-09-12 15:17:17 -07:00
update-server-info.c
upload-archive.c archive: initialize archivers earlier 2018-10-26 10:17:59 +09:00
upload-pack.c
var.c
verify-commit.c verify-tag: drop signal.h include 2019-06-19 08:19:21 -07:00
verify-pack.c
verify-tag.c verify-tag: drop signal.h include 2019-06-19 08:19:21 -07:00
worktree.c Merge branch 'ms/worktree-add-atomic-mkdir' 2019-04-10 02:14:24 +09:00
write-tree.c cache.h: flip NO_THE_INDEX_COMPATIBILITY_MACROS switch 2019-01-24 11:55:06 -08:00