From a075e79d2c036e8e41900cfcb2177d75b92758c8 Mon Sep 17 00:00:00 2001 From: Fabian Stelzer Date: Fri, 4 Mar 2022 11:25:17 +0100 Subject: [PATCH 1/3] gpg-interface/gpgsm: fix for v2.3 Checking if signing was successful will now accept '[GNUPG]: SIG_CREATED' on the beginning of the first or any subsequent line. Not just explictly the second one anymore. Gpgsm v2.3 changed its output when listing keys from `fingerprint` to `sha1/2 fpr`. This leads to the gpgsm tests silently not being executed because of a failed prerequisite. Switch to gpg's `--with-colons` output format when evaluating test prerequisites to make parsing more robust. This also allows us to combine the existing grep/cut/tr/echo pipe for writing the trustlist.txt into a single awk expression. Adjust error message checking in test for v2.3 specific output changes. Helped-By: Junio C Hamano Helped-By: Todd Zullinger Signed-off-by: Junio C Hamano --- gpg-interface.c | 9 ++++++++- t/lib-gpg.sh | 8 +++----- t/t4202-log.sh | 3 ++- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/gpg-interface.c b/gpg-interface.c index b52eb0e2e0..4238e60dfa 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -920,6 +920,7 @@ static int sign_buffer_gpg(struct strbuf *buffer, struct strbuf *signature, struct child_process gpg = CHILD_PROCESS_INIT; int ret; size_t bottom; + const char *cp; struct strbuf gpg_status = STRBUF_INIT; strvec_pushl(&gpg.args, @@ -939,7 +940,13 @@ static int sign_buffer_gpg(struct strbuf *buffer, struct strbuf *signature, signature, 1024, &gpg_status, 0); sigchain_pop(SIGPIPE); - ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED "); + for (cp = gpg_status.buf; + cp && (cp = strstr(cp, "[GNUPG:] SIG_CREATED ")); + cp++) { + if (cp == gpg_status.buf || cp[-1] == '\n') + break; /* found */ + } + ret |= !cp; strbuf_release(&gpg_status); if (ret) return error(_("gpg failed to sign the data")); diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index 3e7ee1386a..6bc083ca77 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -72,12 +72,10 @@ test_lazy_prereq GPGSM ' --passphrase-fd 0 --pinentry-mode loopback \ --import "$TEST_DIRECTORY"/lib-gpg/gpgsm_cert.p12 && - gpgsm --homedir "${GNUPGHOME}" -K | - grep fingerprint: | - cut -d" " -f4 | - tr -d "\\n" >"${GNUPGHOME}/trustlist.txt" && + gpgsm --homedir "${GNUPGHOME}" -K --with-colons | + awk -F ":" "/^fpr:/ {printf \"%s S relax\\n\", \$10}" \ + >"${GNUPGHOME}/trustlist.txt" && - echo " S relax" >>"${GNUPGHOME}/trustlist.txt" && echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \ -u committer@example.com -o /dev/null --sign - ' diff --git a/t/t4202-log.sh b/t/t4202-log.sh index 5049559861..6800afe5ef 100755 --- a/t/t4202-log.sh +++ b/t/t4202-log.sh @@ -1931,7 +1931,8 @@ test_expect_success GPGSM 'log --graph --show-signature for merged tag x509 miss git merge --no-ff -m msg signed_tag_x509_nokey && GNUPGHOME=. git log --graph --show-signature -n1 plain-x509-nokey >actual && grep "^|\\\ merged tag" actual && - grep "^| | gpgsm: certificate not found" actual + grep -e "^| | gpgsm: certificate not found" \ + -e "^| | gpgsm: failed to find the certificate: Not found" actual ' test_expect_success GPGSM 'log --graph --show-signature for merged tag x509 bad signature' ' From fa47dd6445faea84300844f7d70fe22e710bdc22 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 4 Mar 2022 11:25:18 +0100 Subject: [PATCH 2/3] t/lib-gpg: reload gpg components after updating trustlist With gpgsm from gnupg-2.3, the changes to the trustlist.txt do not appear to be picked up without refreshing the gpg-agent. Use the 'all' keyword to reload all of the gpg components. The scdaemon is started as a child of gpg-agent, for example. We used to have a --kill at this spot, but I removed it in 2e285e7803 (t/lib-gpg: drop redundant killing of gpg-agent, 2019-02-07). It seems like it might be necessary (again) for 2.3. Signed-off-by: Todd Zullinger Signed-off-by: Junio C Hamano --- t/lib-gpg.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index 6bc083ca77..38e2c0f4fb 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -75,6 +75,7 @@ test_lazy_prereq GPGSM ' gpgsm --homedir "${GNUPGHOME}" -K --with-colons | awk -F ":" "/^fpr:/ {printf \"%s S relax\\n\", \$10}" \ >"${GNUPGHOME}/trustlist.txt" && + (gpgconf --reload all || : ) && echo hello | gpgsm --homedir "${GNUPGHOME}" >/dev/null \ -u committer@example.com -o /dev/null --sign - From b0b70d54c4a17476f04ce17255c6558425c11367 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Fri, 4 Mar 2022 11:25:19 +0100 Subject: [PATCH 3/3] t/lib-gpg: kill all gpg components, not just gpg-agent The gpg-agent is one of several processes that newer releases of GnuPG start automatically. Issue a kill to each of them to ensure they do not affect separate tests. (Yes, the separate GNUPGHOME should do that already. If we find that is case, we could drop the --kill entirely.) In terms of compatibility, the 'all' keyword was added to the --kill & --reload options in GnuPG 2.1.18. Debian and RHEL are often used as indicators of how a change might affect older systems we often try to support. - Debian Strech (old old stable), which has limited security support until June 2022, has GnuPG 2.1.18 (or 2.2.x in backports). - CentOS/RHEL 7, which is supported until June 2024, has GnuPG 2.0.22, which lacks the --kill option, so the change won't have any impact. Signed-off-by: Todd Zullinger Signed-off-by: Junio C Hamano --- t/lib-gpg.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh index 38e2c0f4fb..114785586a 100644 --- a/t/lib-gpg.sh +++ b/t/lib-gpg.sh @@ -40,7 +40,7 @@ test_lazy_prereq GPG ' # > lib-gpg/ownertrust mkdir "$GNUPGHOME" && chmod 0700 "$GNUPGHOME" && - (gpgconf --kill gpg-agent || : ) && + (gpgconf --kill all || : ) && gpg --homedir "${GNUPGHOME}" --import \ "$TEST_DIRECTORY"/lib-gpg/keyring.gpg && gpg --homedir "${GNUPGHOME}" --import-ownertrust \