3 #include "run-command.h"
5 #include "gpg-interface.h"
9 static char *configured_signing_key;
10 static enum signature_trust_level configured_min_trust_level = TRUST_UNDEFINED;
15 const char **verify_args;
19 static const char *openpgp_verify_args[] = {
20 "--keyid-format=long",
23 static const char *openpgp_sigs[] = {
24 "-----BEGIN PGP SIGNATURE-----",
25 "-----BEGIN PGP MESSAGE-----",
29 static const char *x509_verify_args[] = {
32 static const char *x509_sigs[] = {
33 "-----BEGIN SIGNED MESSAGE-----",
37 static struct gpg_format gpg_format[] = {
38 { .name = "openpgp", .program = "gpg",
39 .verify_args = openpgp_verify_args,
42 { .name = "x509", .program = "gpgsm",
43 .verify_args = x509_verify_args,
48 static struct gpg_format *use_format = &gpg_format[0];
50 static struct gpg_format *get_format_by_name(const char *str)
54 for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
55 if (!strcmp(gpg_format[i].name, str))
56 return gpg_format + i;
60 static struct gpg_format *get_format_by_sig(const char *sig)
64 for (i = 0; i < ARRAY_SIZE(gpg_format); i++)
65 for (j = 0; gpg_format[i].sigs[j]; j++)
66 if (starts_with(sig, gpg_format[i].sigs[j]))
67 return gpg_format + i;
71 void signature_check_clear(struct signature_check *sigc)
73 FREE_AND_NULL(sigc->payload);
74 FREE_AND_NULL(sigc->gpg_output);
75 FREE_AND_NULL(sigc->gpg_status);
76 FREE_AND_NULL(sigc->signer);
77 FREE_AND_NULL(sigc->key);
78 FREE_AND_NULL(sigc->fingerprint);
79 FREE_AND_NULL(sigc->primary_key_fingerprint);
82 /* An exclusive status -- only one of them can appear in output */
83 #define GPG_STATUS_EXCLUSIVE (1<<0)
84 /* The status includes key identifier */
85 #define GPG_STATUS_KEYID (1<<1)
86 /* The status includes user identifier */
87 #define GPG_STATUS_UID (1<<2)
88 /* The status includes key fingerprints */
89 #define GPG_STATUS_FINGERPRINT (1<<3)
90 /* The status includes trust level */
91 #define GPG_STATUS_TRUST_LEVEL (1<<4)
93 /* Short-hand for standard exclusive *SIG status with keyid & UID */
94 #define GPG_STATUS_STDSIG (GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID|GPG_STATUS_UID)
100 } sigcheck_gpg_status[] = {
101 { 'G', "GOODSIG ", GPG_STATUS_STDSIG },
102 { 'B', "BADSIG ", GPG_STATUS_STDSIG },
103 { 'E', "ERRSIG ", GPG_STATUS_EXCLUSIVE|GPG_STATUS_KEYID },
104 { 'X', "EXPSIG ", GPG_STATUS_STDSIG },
105 { 'Y', "EXPKEYSIG ", GPG_STATUS_STDSIG },
106 { 'R', "REVKEYSIG ", GPG_STATUS_STDSIG },
107 { 0, "VALIDSIG ", GPG_STATUS_FINGERPRINT },
108 { 0, "TRUST_", GPG_STATUS_TRUST_LEVEL },
113 enum signature_trust_level value;
114 } sigcheck_gpg_trust_level[] = {
115 { "UNDEFINED", TRUST_UNDEFINED },
116 { "NEVER", TRUST_NEVER },
117 { "MARGINAL", TRUST_MARGINAL },
118 { "FULLY", TRUST_FULLY },
119 { "ULTIMATE", TRUST_ULTIMATE },
122 static void replace_cstring(char **field, const char *line, const char *next)
127 *field = xmemdupz(line, next - line);
132 static int parse_gpg_trust_level(const char *level,
133 enum signature_trust_level *res)
137 for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_trust_level); i++) {
138 if (!strcmp(sigcheck_gpg_trust_level[i].key, level)) {
139 *res = sigcheck_gpg_trust_level[i].value;
146 static void parse_gpg_output(struct signature_check *sigc)
148 const char *buf = sigc->gpg_status;
149 const char *line, *next;
151 int seen_exclusive_status = 0;
153 /* Iterate over all lines */
154 for (line = buf; *line; line = strchrnul(line+1, '\n')) {
155 while (*line == '\n')
160 /* Skip lines that don't start with GNUPG status */
161 if (!skip_prefix(line, "[GNUPG:] ", &line))
164 /* Iterate over all search strings */
165 for (i = 0; i < ARRAY_SIZE(sigcheck_gpg_status); i++) {
166 if (skip_prefix(line, sigcheck_gpg_status[i].check, &line)) {
168 * GOODSIG, BADSIG etc. can occur only once for
169 * each signature. Therefore, if we had more
170 * than one then we're dealing with multiple
171 * signatures. We don't support them
172 * currently, and they're rather hard to
173 * create, so something is likely fishy and we
174 * should reject them altogether.
176 if (sigcheck_gpg_status[i].flags & GPG_STATUS_EXCLUSIVE) {
177 if (seen_exclusive_status++)
181 if (sigcheck_gpg_status[i].result)
182 sigc->result = sigcheck_gpg_status[i].result;
183 /* Do we have key information? */
184 if (sigcheck_gpg_status[i].flags & GPG_STATUS_KEYID) {
185 next = strchrnul(line, ' ');
186 replace_cstring(&sigc->key, line, next);
187 /* Do we have signer information? */
188 if (*next && (sigcheck_gpg_status[i].flags & GPG_STATUS_UID)) {
190 next = strchrnul(line, '\n');
191 replace_cstring(&sigc->signer, line, next);
195 /* Do we have trust level? */
196 if (sigcheck_gpg_status[i].flags & GPG_STATUS_TRUST_LEVEL) {
198 * GPG v1 and v2 differs in how the
199 * TRUST_ lines are written. Some
200 * trust lines contain no additional
201 * space-separated information for v1.
203 size_t trust_size = strcspn(line, " \n");
204 char *trust = xmemdupz(line, trust_size);
206 if (parse_gpg_trust_level(trust, &sigc->trust_level)) {
213 /* Do we have fingerprint? */
214 if (sigcheck_gpg_status[i].flags & GPG_STATUS_FINGERPRINT) {
218 next = strchrnul(line, ' ');
219 replace_cstring(&sigc->fingerprint, line, next);
222 * Skip interim fields. The search is
223 * limited to the same line since only
224 * OpenPGP signatures has a field with
225 * the primary fingerprint.
227 limit = strchrnul(line, '\n');
228 for (j = 9; j > 0; j--) {
229 if (!*next || limit <= next)
232 next = strchrnul(line, ' ');
235 field = &sigc->primary_key_fingerprint;
237 next = strchrnul(line, '\n');
238 replace_cstring(field, line, next);
240 replace_cstring(field, NULL, NULL);
252 /* Clear partial data to avoid confusion */
253 FREE_AND_NULL(sigc->primary_key_fingerprint);
254 FREE_AND_NULL(sigc->fingerprint);
255 FREE_AND_NULL(sigc->signer);
256 FREE_AND_NULL(sigc->key);
259 int check_signature(const char *payload, size_t plen, const char *signature,
260 size_t slen, struct signature_check *sigc)
262 struct strbuf gpg_output = STRBUF_INIT;
263 struct strbuf gpg_status = STRBUF_INIT;
267 sigc->trust_level = -1;
269 status = verify_signed_buffer(payload, plen, signature, slen,
270 &gpg_output, &gpg_status);
271 if (status && !gpg_output.len)
273 sigc->payload = xmemdupz(payload, plen);
274 sigc->gpg_output = strbuf_detach(&gpg_output, NULL);
275 sigc->gpg_status = strbuf_detach(&gpg_status, NULL);
276 parse_gpg_output(sigc);
277 status |= sigc->result != 'G';
278 status |= sigc->trust_level < configured_min_trust_level;
281 strbuf_release(&gpg_status);
282 strbuf_release(&gpg_output);
287 void print_signature_buffer(const struct signature_check *sigc, unsigned flags)
289 const char *output = flags & GPG_VERIFY_RAW ?
290 sigc->gpg_status : sigc->gpg_output;
292 if (flags & GPG_VERIFY_VERBOSE && sigc->payload)
293 fputs(sigc->payload, stdout);
296 fputs(output, stderr);
299 size_t parse_signature(const char *buf, size_t size)
306 if (get_format_by_sig(buf + len))
309 eol = memchr(buf + len, '\n', size - len);
310 len += eol ? eol - (buf + len) + 1 : size - len;
315 void set_signing_key(const char *key)
317 free(configured_signing_key);
318 configured_signing_key = xstrdup(key);
321 int git_gpg_config(const char *var, const char *value, void *cb)
323 struct gpg_format *fmt = NULL;
324 char *fmtname = NULL;
328 if (!strcmp(var, "user.signingkey")) {
330 return config_error_nonbool(var);
331 set_signing_key(value);
335 if (!strcmp(var, "gpg.format")) {
337 return config_error_nonbool(var);
338 fmt = get_format_by_name(value);
340 return error("unsupported value for %s: %s",
346 if (!strcmp(var, "gpg.mintrustlevel")) {
348 return config_error_nonbool(var);
350 trust = xstrdup_toupper(value);
351 ret = parse_gpg_trust_level(trust, &configured_min_trust_level);
355 return error("unsupported value for %s: %s", var,
360 if (!strcmp(var, "gpg.program") || !strcmp(var, "gpg.openpgp.program"))
363 if (!strcmp(var, "gpg.x509.program"))
367 fmt = get_format_by_name(fmtname);
368 return git_config_string(&fmt->program, var, value);
374 const char *get_signing_key(void)
376 if (configured_signing_key)
377 return configured_signing_key;
378 return git_committer_info(IDENT_STRICT|IDENT_NO_DATE);
381 int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *signing_key)
383 struct child_process gpg = CHILD_PROCESS_INIT;
386 struct strbuf gpg_status = STRBUF_INIT;
388 argv_array_pushl(&gpg.args,
391 "-bsau", signing_key,
394 bottom = signature->len;
397 * When the username signingkey is bad, program could be terminated
398 * because gpg exits without reading and then write gets SIGPIPE.
400 sigchain_push(SIGPIPE, SIG_IGN);
401 ret = pipe_command(&gpg, buffer->buf, buffer->len,
402 signature, 1024, &gpg_status, 0);
403 sigchain_pop(SIGPIPE);
405 ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED ");
406 strbuf_release(&gpg_status);
408 return error(_("gpg failed to sign the data"));
410 /* Strip CR from the line endings, in case we are on Windows. */
411 for (i = j = bottom; i < signature->len; i++)
412 if (signature->buf[i] != '\r') {
414 signature->buf[j] = signature->buf[i];
417 strbuf_setlen(signature, j);
422 int verify_signed_buffer(const char *payload, size_t payload_size,
423 const char *signature, size_t signature_size,
424 struct strbuf *gpg_output, struct strbuf *gpg_status)
426 struct child_process gpg = CHILD_PROCESS_INIT;
427 struct gpg_format *fmt;
428 struct tempfile *temp;
430 struct strbuf buf = STRBUF_INIT;
432 temp = mks_tempfile_t(".git_vtag_tmpXXXXXX");
434 return error_errno(_("could not create temporary file"));
435 if (write_in_full(temp->fd, signature, signature_size) < 0 ||
436 close_tempfile_gently(temp) < 0) {
437 error_errno(_("failed writing detached signature to '%s'"),
439 delete_tempfile(&temp);
443 fmt = get_format_by_sig(signature);
445 BUG("bad signature '%s'", signature);
447 argv_array_push(&gpg.args, fmt->program);
448 argv_array_pushv(&gpg.args, fmt->verify_args);
449 argv_array_pushl(&gpg.args,
451 "--verify", temp->filename.buf, "-",
457 sigchain_push(SIGPIPE, SIG_IGN);
458 ret = pipe_command(&gpg, payload, payload_size,
459 gpg_status, 0, gpg_output, 0);
460 sigchain_pop(SIGPIPE);
462 delete_tempfile(&temp);
464 ret |= !strstr(gpg_status->buf, "\n[GNUPG:] GOODSIG ");
465 strbuf_release(&buf); /* no matter it was used or not */
projects / git / blob