Am Fri, 6 Jul 2018 01:14:47 +
schrieb "brian m. carlson" :
> On Tue, Jul 03, 2018 at 02:38:20PM +0200, Henning Schild wrote:
> > Add test cases to cover the new X509/gpgsm support. Most of them
> > resemble existing ones. They just switch the format to X509 and set
> > the signingkey when creating signatures. Validation of signatures
> > does not need any configuration of git, it does need gpgsm to be
> > configured to trust the key(-chain).
> > We generate a self-signed key for commit...@example.com and
> > configure gpgsm to trust it.
> >
> > Signed-off-by: Henning Schild
> > ---
> > t/lib-gpg.sh | 9 ++-
> > t/lib-gpg/gpgsm-gen-key.in | 6 +
> > t/t4202-log.sh | 66
> > ++
> > t/t5534-push-signed.sh | 52
> > t/t7003-filter-branch.sh |
> > 15 +++ t/t7030-verify-tag.sh | 47
> > +++-- t/t7600-merge.sh | 31
> > ++ 7 files changed, 223 insertions(+), 3
> > deletions(-) create mode 100644 t/lib-gpg/gpgsm-gen-key.in
> >
> > diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
> > index a5d3b2cba..9dcb4e990 100755
> > --- a/t/lib-gpg.sh
> > +++ b/t/lib-gpg.sh
> > @@ -38,7 +38,14 @@ then
> > "$TEST_DIRECTORY"/lib-gpg/ownertrust &&
> > gpg --homedir "${GNUPGHOME}" /dev/null
> > 2>&1 \ --sign -u commit...@example.com &&
> > - test_set_prereq GPG
> > + test_set_prereq GPG &&
> > + echo | gpgsm --homedir "${GNUPGHOME}" -o
> > "$TEST_DIRECTORY"/lib-gpg/gpgsm.crt.user --passphrase-fd 0
> > --pinentry-mode loopback --generate-key --batch
> > "$TEST_DIRECTORY"/lib-gpg/gpgsm-gen-key.in &&
> > + gpgsm --homedir "${GNUPGHOME}" --import
> > "$TEST_DIRECTORY"/lib-gpg/gpgsm.crt.user &&
> > + gpgsm --homedir "${GNUPGHOME}" -K | grep
> > fingerprint: | cut -d" " -f4 | tr -d '\n' >
> > ${GNUPGHOME}/trustlist.txt &&
> > + echo " S relax" >> ${GNUPGHOME}/trustlist.txt &&
> > + (gpgconf --kill gpg-agent >/dev/null 2>&1 || : ) &&
> > + echo hello | gpgsm --homedir "${GNUPGHOME}" -u
> > commit...@example.com -o /dev/null --sign - 2>&1 &&
> > + test_set_prereq GPGSM
>
> It looks like the GPGSM prerequisite will only be set if the GPG
> prerequisite is set as well. Do we want to consider the case when the
> user might have gpgsm but not gpg?
Nice finding, i should have tried to hide that better ;).
I thought about it when writing the code. There might be distributions
where you can install one without the other. I also introduces a few
tests that rely on the implication, where GPGSM tests on top of GPG.
(i.e. t7030 "create signed tags x509")
The implication is really just there for the tests, not for end-users.
Dropping it would create more variations in testing (make it more
expensive).
I would say it is not worth it at the moment.
Implementing the gpg.format detection by actually calling the "other"
program to find which one knows the key, would shine another light on
that one. But i kind of doubt that idea is a good one.
Henning
