Package: git
Version: 1:2.11.0-3+deb9u2
Severity: normal

Dear Maintainer,

one for upstream:

git verify-commit has an interesting and unexpected behaviour.
That is, setting gpg.program I can instruct git to use that program for
gpg actions. According to manpage:

     gpg.program
         Use this custom program instead of "gpg" found on $PATH
         when making or verifying a PGP signature. The program
         must support the same command-line interface as GPG,
         namely, to verify a detached signature, "gpg --verify
         $file - <$signature" is run, and the program is expected
         to signal a good signature by exiting with code 0, and
         to generate an ASCII-armored detached signature, the
         standard input of "gpg -bsau $key" is fed with the
         contents to be signed, and the program is expected to
         send the result to its standard output.

One would expect that exit 0 for a verify means "This signature is
fine".

For gpg verify-commit that DOES NOT MATTER. You can exit 1, and it happily
goes of saying all is fine. YOu can exit 0 and it happily goes of saying
"bad, broken".

It MUST HAVE gnupg status like output on stdout and goes to parse it.
So if you send it a line of (with a trailing space)

[GNUPG:] GOODSIG 

it will ALWAYS exit 0, no matter what your actual gpg.program said.
If you do not send this (or anything at all), it ALWAYS exit 1.

This is wrong according to the manpage. If i set gpg.program, exit 0 of
that means "sig is good". Not "parse some random text somewhere and see
yourself" magic.

-- 
bye, Joerg

Reply via email to