Package: git Version: 1:2.11.0-3+deb9u2 Severity: normal Dear Maintainer,
one for upstream: git verify-commit has an interesting and unexpected behaviour. That is, setting gpg.program I can instruct git to use that program for gpg actions. According to manpage: gpg.program Use this custom program instead of "gpg" found on $PATH when making or verifying a PGP signature. The program must support the same command-line interface as GPG, namely, to verify a detached signature, "gpg --verify $file - <$signature" is run, and the program is expected to signal a good signature by exiting with code 0, and to generate an ASCII-armored detached signature, the standard input of "gpg -bsau $key" is fed with the contents to be signed, and the program is expected to send the result to its standard output. One would expect that exit 0 for a verify means "This signature is fine". For gpg verify-commit that DOES NOT MATTER. You can exit 1, and it happily goes of saying all is fine. YOu can exit 0 and it happily goes of saying "bad, broken". It MUST HAVE gnupg status like output on stdout and goes to parse it. So if you send it a line of (with a trailing space) [GNUPG:] GOODSIG it will ALWAYS exit 0, no matter what your actual gpg.program said. If you do not send this (or anything at all), it ALWAYS exit 1. This is wrong according to the manpage. If i set gpg.program, exit 0 of that means "sig is good". Not "parse some random text somewhere and see yourself" magic. -- bye, Joerg