summaryrefslogtreecommitdiffstats
path: root/t/t7612-merge-verify-signatures.sh
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-09 13:34:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-09 13:34:27 +0000
commit4dbdc42d9e7c3968ff7f690d00680419c9b8cb0f (patch)
tree47c1d492e9c956c1cd2b74dbd3b9d8b0db44dc4e /t/t7612-merge-verify-signatures.sh
parentInitial commit. (diff)
downloadgit-4dbdc42d9e7c3968ff7f690d00680419c9b8cb0f.tar.xz
git-4dbdc42d9e7c3968ff7f690d00680419c9b8cb0f.zip
Adding upstream version 1:2.43.0.upstream/1%2.43.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 't/t7612-merge-verify-signatures.sh')
-rwxr-xr-xt/t7612-merge-verify-signatures.sh139
1 files changed, 139 insertions, 0 deletions
diff --git a/t/t7612-merge-verify-signatures.sh b/t/t7612-merge-verify-signatures.sh
new file mode 100755
index 0000000..84ddb56
--- /dev/null
+++ b/t/t7612-merge-verify-signatures.sh
@@ -0,0 +1,139 @@
+#!/bin/sh
+
+test_description='merge signature verification tests'
+GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main
+export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME
+
+TEST_PASSES_SANITIZE_LEAK=true
+. ./test-lib.sh
+. "$TEST_DIRECTORY/lib-gpg.sh"
+
+test_expect_success GPG 'create signed commits' '
+ echo 1 >file && git add file &&
+ test_tick && git commit -m initial &&
+ git tag initial &&
+
+ git checkout -b side-signed &&
+ echo 3 >elif && git add elif &&
+ test_tick && git commit -S -m "signed on side" &&
+ git checkout initial &&
+
+ git checkout -b side-unsigned &&
+ echo 3 >foo && git add foo &&
+ test_tick && git commit -m "unsigned on side" &&
+ git checkout initial &&
+
+ git checkout -b side-bad &&
+ echo 3 >bar && git add bar &&
+ test_tick && git commit -S -m "bad on side" &&
+ git cat-file commit side-bad >raw &&
+ sed -e "s/^bad/forged bad/" raw >forged &&
+ git hash-object -w -t commit forged >forged.commit &&
+ git checkout initial &&
+
+ git checkout -b side-untrusted &&
+ echo 3 >baz && git add baz &&
+ test_tick && git commit -SB7227189 -m "untrusted on side" &&
+
+ git checkout main
+'
+
+test_expect_success GPG 'merge unsigned commit with verification' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_must_fail git merge --ff-only --verify-signatures side-unsigned 2>mergeerror &&
+ test_grep "does not have a GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge unsigned commit with merge.verifySignatures=true' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures true &&
+ test_must_fail git merge --ff-only side-unsigned 2>mergeerror &&
+ test_grep "does not have a GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge commit with bad signature with verification' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_must_fail git merge --ff-only --verify-signatures $(cat forged.commit) 2>mergeerror &&
+ test_grep "has a bad GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures true &&
+ test_must_fail git merge --ff-only $(cat forged.commit) 2>mergeerror &&
+ test_grep "has a bad GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge commit with untrusted signature with verification' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
+ test_grep "has an untrusted GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge commit with untrusted signature with verification and high minTrustLevel' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config gpg.minTrustLevel marginal &&
+ test_must_fail git merge --ff-only --verify-signatures side-untrusted 2>mergeerror &&
+ test_grep "has an untrusted GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge commit with untrusted signature with verification and low minTrustLevel' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config gpg.minTrustLevel undefined &&
+ git merge --ff-only --verify-signatures side-untrusted >mergeoutput &&
+ test_grep "has a good GPG signature" mergeoutput
+'
+
+test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures true &&
+ test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
+ test_grep "has an untrusted GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge commit with untrusted signature with merge.verifySignatures=true and minTrustLevel' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures true &&
+ test_config gpg.minTrustLevel marginal &&
+ test_must_fail git merge --ff-only side-untrusted 2>mergeerror &&
+ test_grep "has an untrusted GPG signature" mergeerror
+'
+
+test_expect_success GPG 'merge signed commit with verification' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ git merge --verbose --ff-only --verify-signatures side-signed >mergeoutput &&
+ test_grep "has a good GPG signature" mergeoutput
+'
+
+test_expect_success GPG 'merge signed commit with merge.verifySignatures=true' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures true &&
+ git merge --verbose --ff-only side-signed >mergeoutput &&
+ test_grep "has a good GPG signature" mergeoutput
+'
+
+test_expect_success GPG 'merge commit with bad signature without verification' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ git merge $(cat forged.commit)
+'
+
+test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=false' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures false &&
+ git merge $(cat forged.commit)
+'
+
+test_expect_success GPG 'merge commit with bad signature with merge.verifySignatures=true and --no-verify-signatures' '
+ test_when_finished "git reset --hard && git checkout initial" &&
+ test_config merge.verifySignatures true &&
+ git merge --no-verify-signatures $(cat forged.commit)
+'
+
+test_expect_success GPG 'merge unsigned commit into unborn branch' '
+ test_when_finished "git checkout initial" &&
+ git checkout --orphan unborn &&
+ test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
+ test_grep "does not have a GPG signature" mergeerror
+'
+
+test_done