3 test_description='signed push'
 
   6 . "$TEST_DIRECTORY"/lib-gpg.sh
 
  10         test_create_repo dst &&
 
  12         git push dst master:noop master:ff master:noff
 
  15 test_expect_success setup '
 
  16         # master, ff and noff branches pointing at the same commit
 
  18         git commit --allow-empty -m initial &&
 
  20         git checkout -b noop &&
 
  22         git checkout -b noff &&
 
  24         # noop stays the same, ff advances, noff rewrites
 
  26         git commit --allow-empty --amend -m rewritten &&
 
  30         git commit --allow-empty -m second
 
  33 test_expect_success 'unsigned push does not send push certificate' '
 
  35         mkdir -p dst/.git/hooks &&
 
  36         write_script dst/.git/hooks/post-receive <<-\EOF &&
 
  37         # discard the update list
 
  39         # record the push certificate
 
  40         if test -n "${GIT_PUSH_CERT-}"
 
  42                 git cat-file blob $GIT_PUSH_CERT >../push-cert
 
  46         git push dst noop ff +noff &&
 
  47         ! test -f dst/push-cert
 
  50 test_expect_success 'talking with a receiver without push certificate support' '
 
  52         mkdir -p dst/.git/hooks &&
 
  53         write_script dst/.git/hooks/post-receive <<-\EOF &&
 
  54         # discard the update list
 
  56         # record the push certificate
 
  57         if test -n "${GIT_PUSH_CERT-}"
 
  59                 git cat-file blob $GIT_PUSH_CERT >../push-cert
 
  63         git push dst noop ff +noff &&
 
  64         ! test -f dst/push-cert
 
  67 test_expect_success 'push --signed fails with a receiver without push certificate support' '
 
  69         mkdir -p dst/.git/hooks &&
 
  70         test_must_fail git push --signed dst noop ff +noff 2>err &&
 
  71         test_i18ngrep "the receiving end does not support" err
 
  74 test_expect_success GPG 'no certificate for a signed push with no update' '
 
  76         mkdir -p dst/.git/hooks &&
 
  77         write_script dst/.git/hooks/post-receive <<-\EOF &&
 
  78         if test -n "${GIT_PUSH_CERT-}"
 
  80                 git cat-file blob $GIT_PUSH_CERT >../push-cert
 
  84         ! test -f dst/push-cert
 
  87 test_expect_success GPG 'signed push sends push certificate' '
 
  89         mkdir -p dst/.git/hooks &&
 
  90         git -C dst config receive.certnonceseed sekrit &&
 
  91         write_script dst/.git/hooks/post-receive <<-\EOF &&
 
  92         # discard the update list
 
  94         # record the push certificate
 
  95         if test -n "${GIT_PUSH_CERT-}"
 
  97                 git cat-file blob $GIT_PUSH_CERT >../push-cert
 
 100         cat >../push-cert-status <<E_O_F
 
 101         SIGNER=${GIT_PUSH_CERT_SIGNER-nobody}
 
 102         KEY=${GIT_PUSH_CERT_KEY-nokey}
 
 103         STATUS=${GIT_PUSH_CERT_STATUS-nostatus}
 
 104         NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus}
 
 105         NONCE=${GIT_PUSH_CERT_NONCE-nononce}
 
 110         git push --signed dst noop ff +noff &&
 
 114                 SIGNER=C O Mitter <committer@example.com>
 
 119                 sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" dst/push-cert
 
 122         noop=$(git rev-parse noop) &&
 
 123         ff=$(git rev-parse ff) &&
 
 124         noff=$(git rev-parse noff) &&
 
 125         grep "$noop $ff refs/heads/ff" dst/push-cert &&
 
 126         grep "$noop $noff refs/heads/noff" dst/push-cert &&
 
 127         test_cmp expect dst/push-cert-status
 
 130 test_expect_success GPG 'inconsistent push options in signed push not allowed' '
 
 131         # First, invoke receive-pack with dummy input to obtain its preamble.
 
 133         git -C dst config receive.certnonceseed sekrit &&
 
 134         git -C dst config receive.advertisepushoptions 1 &&
 
 135         printf xxxx | test_might_fail git receive-pack dst >preamble &&
 
 137         # Then, invoke push. Simulate a receive-pack that sends the preamble we
 
 138         # obtained, followed by a dummy packet.
 
 139         write_script myscript <<-\EOF &&
 
 144         test_might_fail git push --push-option="foo" --push-option="bar" \
 
 145                 --receive-pack="\"$(pwd)/myscript\"" --signed dst --delete ff &&
 
 147         # Replay the push output on a fresh dst, checking that ff is truly
 
 150         git -C dst config receive.certnonceseed sekrit &&
 
 151         git -C dst config receive.advertisepushoptions 1 &&
 
 152         git receive-pack dst <push &&
 
 153         test_must_fail git -C dst rev-parse ff &&
 
 155         # Tweak the push output to make the push option outside the cert
 
 156         # different, then replay it on a fresh dst, checking that ff is not
 
 158         perl -pe "s/([^ ])bar/\$1baz/" push >push.tweak &&
 
 160         git -C dst config receive.certnonceseed sekrit &&
 
 161         git -C dst config receive.advertisepushoptions 1 &&
 
 162         git receive-pack dst <push.tweak >out &&
 
 163         git -C dst rev-parse ff &&
 
 164         grep "inconsistent push options" out
 
 167 test_expect_success GPG 'fail without key and heed user.signingkey' '
 
 169         mkdir -p dst/.git/hooks &&
 
 170         git -C dst config receive.certnonceseed sekrit &&
 
 171         write_script dst/.git/hooks/post-receive <<-\EOF &&
 
 172         # discard the update list
 
 174         # record the push certificate
 
 175         if test -n "${GIT_PUSH_CERT-}"
 
 177                 git cat-file blob $GIT_PUSH_CERT >../push-cert
 
 180         cat >../push-cert-status <<E_O_F
 
 181         SIGNER=${GIT_PUSH_CERT_SIGNER-nobody}
 
 182         KEY=${GIT_PUSH_CERT_KEY-nokey}
 
 183         STATUS=${GIT_PUSH_CERT_STATUS-nostatus}
 
 184         NONCE_STATUS=${GIT_PUSH_CERT_NONCE_STATUS-nononcestatus}
 
 185         NONCE=${GIT_PUSH_CERT_NONCE-nononce}
 
 190         unset GIT_COMMITTER_EMAIL &&
 
 191         git config user.email hasnokey@nowhere.com &&
 
 192         test_must_fail git push --signed dst noop ff +noff &&
 
 193         git config user.signingkey committer@example.com &&
 
 194         git push --signed dst noop ff +noff &&
 
 198                 SIGNER=C O Mitter <committer@example.com>
 
 203                 sed -n -e "s/^nonce /NONCE=/p" -e "/^$/q" dst/push-cert
 
 206         noop=$(git rev-parse noop) &&
 
 207         ff=$(git rev-parse ff) &&
 
 208         noff=$(git rev-parse noff) &&
 
 209         grep "$noop $ff refs/heads/ff" dst/push-cert &&
 
 210         grep "$noop $noff refs/heads/noff" dst/push-cert &&
 
 211         test_cmp expect dst/push-cert-status