one for upstream:
git verify-commit has an interesting and unexpected behaviour.
That is, setting gpg.program I can instruct git to use that program for
gpg actions. According to manpage:
Use this custom program instead of "gpg" found on $PATH
when making or verifying a PGP signature. The program
must support the same command-line interface as GPG,
namely, to verify a detached signature, "gpg --verify
$file - <$signature" is run, and the program is expected
to signal a good signature by exiting with code 0, and
to generate an ASCII-armored detached signature, the
standard input of "gpg -bsau $key" is fed with the
contents to be signed, and the program is expected to
send the result to its standard output.
One would expect that exit 0 for a verify means "This signature is
For gpg verify-commit that DOES NOT MATTER. You can exit 1, and it happily
goes of saying all is fine. YOu can exit 0 and it happily goes of saying
It MUST HAVE gnupg status like output on stdout and goes to parse it.
So if you send it a line of (with a trailing space)
it will ALWAYS exit 0, no matter what your actual gpg.program said.
If you do not send this (or anything at all), it ALWAYS exit 1.
This is wrong according to the manpage. If i set gpg.program, exit 0 of
that means "sig is good". Not "parse some random text somewhere and see