Compare commits

..

No commits in common. "03bbbcc350177fe359892d70789e0c8a60bd30dd" and "c6d3a512e442776556f1d438602868318222c943" have entirely different histories.

4 changed files with 167 additions and 157 deletions

View File

@ -1,6 +1,6 @@
# git-sig # # sig #
The simple multisig toolchain for git repos. The simple code signature toolchain for git repos.
## Features ## Features
@ -10,7 +10,7 @@ The simple multisig toolchain for git repos.
* Verify code changes made since last time minimum valid signatures were present * Verify code changes made since last time minimum valid signatures were present
* Allow user to manually verify new keys and add to alias groups on the fly * Allow user to manually verify new keys and add to alias groups on the fly
* Prompt user to install or upgrade any required tools as needed * Prompt user to install or upgrade any required tools as needed
* Signs notes against git "tree hash" so signatures survive a rebase * Signs aginst git agnostic "tree hash" so signatures survive rebases
* So long as the directory contents at a given ref do not change * So long as the directory contents at a given ref do not change
## Install ## Install
@ -18,17 +18,15 @@ The simple multisig toolchain for git repos.
1. Clone 1. Clone
``` ```
git clone https://codeberg.org/distrust/git-sig.git git clone git@gitlab.com/pchq/sig.git sig
``` ```
2. Review source code and signatures manually 2. Review source code and signatures manually
Using `git-sig` to verify the signatures of `git-sig` itself is not Using `sig` to verify the signatures of `sig` itself is not recommended.
recommended as it could simply lie to you.
Consider using the following one liner which is much faster to review: Consider using the following one liner which is much faster to review:
``` ```
git fetch origin refs/notes/signatures:refs/notes/signatures
while read -r line; do \ while read -r line; do \
gpg --verify \ gpg --verify \
<(printf "$line" | sed 's/.*pgp://g'| openssl base64 -d -A) \ <(printf "$line" | sed 's/.*pgp://g'| openssl base64 -d -A) \
@ -39,75 +37,68 @@ The simple multisig toolchain for git repos.
3. Copy to `$PATH` 3. Copy to `$PATH`
``` ```
cp git-sig ~/.local/bin/ cp sig ~/.local/bin/
``` ```
## Usage ## Usage
``` * sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-r,--ref=<ref> ] [-d,--diff=<branch>]
git sig add [-m,--method=<note|tag>] [-p,--push] * Verify m-of-n signatures by given group are present for a given git ref.
Add signature for this repository * sig add
git sig remove * Add signature to this git ref
Remove all signatures on current ref * sig fetch [-g,--group=<group>]
git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>] * Fetch key by fingerprint. Optionally add to group.
Verify m-of-n signatures by given group are present for directory. * sig help
git sig push [-r,--remote=<remote>] * Show help text.
Push all signatures on current ref * sig version
git sig fetch [-g,--group=<group>] * Show version information.
Fetch key by fingerprint. Optionally add to group.
git sig help
Show this text.
git sig version
Show version information.
```
## Methods ## Methods
* Note ### Git
* Store/Verify signatures via Git Notes (default)
* Can be exported and verified by external tools even without git history This method verifies the current HEAD was signed exactly as-is by one or more
* Tag keys.
* Any git signed tags count towards total signatures
* Can optionally store new signatures as "sig-*" signed tag This counts the commit signature, and any number of signed tags pointing at
* Commit this ref.
* Signed commits count as one valid signature
### Assumptions ### Assumptions
- Single sig mode: Repo contents controlled by signer - Single sig mode: Repo contents controlled by signer
- Multi-sig mode: Repo contents verified by multiple signers - Multi-sig mode: Repo contents verified by multiple signers
- Multi-sig group mode: Repo contents approved by specified individuals - Multi-sig group mode: Repo contents approved by specified individuals
- Hashing scheme is not broken: (SHA1, blame Torvalds) - Hashing scheme for respective backend is not broken: (sha256)
## Examples ## Examples
#### Verify at least one signature is present with a known key #### Verify at least one signature is present with a known key
``` ```
git sig verify sig verify
``` ```
#### Verify 2 unique signatures from known keys #### Verify 2 unique signatures from known keys
``` ```
git sig verify --threshold 2 sig verify --threshold 2
``` ```
#### Verify 3 unique signatures from specified signing group #### Verify 3 unique signatures from specified signing group
``` ```
git sig verify --threshold 3 --group myteam sig verify --threshold 3 --group myteam
``` ```
#### Show diff between HEAD and last ref with 2 verified unique signatures #### Show diff between HEAD and last ref with 2 verified unique signatures
``` ```
git sig verify --threshold 2 --diff sig verify --threshold 2 --diff
``` ```
#### Add signature #### Add signature
``` ```
git sig add sig add
``` ```
## Frequently Asked Questions ## Frequently Asked Questions

View File

@ -6,9 +6,6 @@ readonly MIN_GPG_VERSION=2.2
readonly MIN_OPENSSL_VERSION=1.1 readonly MIN_OPENSSL_VERSION=1.1
readonly MIN_GETOPT_VERSION=2.33 readonly MIN_GETOPT_VERSION=2.33
GIT_SIG_GPG_VERIFY_COMMAND=${GIT_SIG_GPG_VERIFY_COMMAND:-gpg}
GIT_SIG_SIGN_COMMAND=${GIT_SIG_SIGN_COMMAND:-gpg}
## Private Functions ## Private Functions
### Exit with error message ### Exit with error message
@ -100,7 +97,7 @@ check_tools(){
for cmd in "$@"; do for cmd in "$@"; do
command -v "$1" >/dev/null || die "Error: $cmd not found" command -v "$1" >/dev/null || die "Error: $cmd not found"
case $cmd in case $cmd in
${GIT_SIG_VERIFY_COMMAND}) gpg)
version=$(gpg --version | head -n1 | cut -d" " -f3) version=$(gpg --version | head -n1 | cut -d" " -f3)
check_version "gnupg" "${version}" "${MIN_GPG_VERSION}" check_version "gnupg" "${version}" "${MIN_GPG_VERSION}"
;; ;;
@ -119,7 +116,7 @@ check_tools(){
### Get primary UID for a given fingerprint ### Get primary UID for a given fingerprint
get_uid(){ get_uid(){
local -r fp="${1?}" local -r fp="${1?}"
${GIT_SIG_VERIFY_COMMAND} --list-keys --with-colons "${fp}" 2>&1 \ gpg --list-keys --with-colons "${fp}" 2>&1 \
| awk -F: '$1 == "uid" {print $10}' \ | awk -F: '$1 == "uid" {print $10}' \
| head -n1 | head -n1
} }
@ -127,7 +124,7 @@ get_uid(){
### Get primary fingerprint for given search ### Get primary fingerprint for given search
get_primary_fp(){ get_primary_fp(){
local -r search="${1?}" local -r search="${1?}"
${GIT_SIG_VERIFY_COMMAND} --list-keys --with-colons "${search}" 2>&1 \ gpg --list-keys --with-colons "${search}" 2>&1 \
| awk -F: '$1 == "fpr" {print $10}' \ | awk -F: '$1 == "fpr" {print $10}' \
| head -n1 | head -n1
} }
@ -135,7 +132,7 @@ get_primary_fp(){
### Get fingerprint for a given pgp file ### Get fingerprint for a given pgp file
get_file_fp(){ get_file_fp(){
local -r filename="${1?}" local -r filename="${1?}"
${GIT_SIG_VERIFY_COMMAND} --list-packets "${filename}" \ gpg --list-packets "${filename}" \
| grep keyid \ | grep keyid \
| sed 's/.*keyid //g' | sed 's/.*keyid //g'
} }
@ -171,7 +168,7 @@ group_add_fp(){
done done
echo "Adding key \"${fp}\" to group \"${group_name}\"" echo "Adding key \"${fp}\" to group \"${group_name}\""
${GIT_SIG_VERIFY_COMMAND} --list-keys >/dev/null 2>&1 gpg --list-keys >/dev/null 2>&1
printf 'group:0:%s' "${data%?}" \ printf 'group:0:%s' "${data%?}" \
| gpgconf --change-options gpg >/dev/null 2>&1 | gpgconf --change-options gpg >/dev/null 2>&1
} }
@ -179,7 +176,7 @@ group_add_fp(){
### Get fingerprints for a given group ### Get fingerprints for a given group
group_get_fps(){ group_get_fps(){
local -r group_name=${1?} local -r group_name=${1?}
${GIT_SIG_VERIFY_COMMAND} --with-colons --list-config group \ gpg --with-colons --list-config group \
| grep -i "^cfg:group:${group_name}:" \ | grep -i "^cfg:group:${group_name}:" \
| cut -d ':' -f4 | cut -d ':' -f4
} }
@ -212,7 +209,19 @@ group_check_fp(){
tree_hash() { tree_hash() {
local -r ref="${1:-HEAD}" local -r ref="${1:-HEAD}"
git rev-parse "${ref}^{tree}" local -r target=$(git rev-parse "$ref")
local -r current=$(git rev-parse HEAD)
[ "$target" == "$current" ] || git checkout "$target" >/dev/null 2>&1
mkdir -p ".${PROGRAM}"
printf "%s" "$( \
find . -type f -not -path "./.git/*" \
-exec openssl sha256 -r {} \;\
)" \
| sed -e 's/ \*/ /g' -e 's/ \.\// /g' \
| LC_ALL=C sort -k2 \
| openssl sha256 -r \
| sed -e 's/ .*//g'
[ "$target" == "$current" ] || git checkout "$current" >/dev/null 2>&1
} }
sig_generate(){ sig_generate(){
@ -224,7 +233,7 @@ sig_generate(){
local -r body="sig:$version:$vcs_ref:$tree_hash:$review_hash:$sig_type" local -r body="sig:$version:$vcs_ref:$tree_hash:$review_hash:$sig_type"
local -r signature=$(\ local -r signature=$(\
printf "%s" "$body" \ printf "%s" "$body" \
| ${GIT_SIG_SIGN_COMMAND} \ | gpg \
--detach-sign \ --detach-sign \
--local-user "$key" \ --local-user "$key" \
| openssl base64 -A \ | openssl base64 -A \
@ -289,7 +298,7 @@ verify_git_note(){
return 1; return 1;
} }
gpg_sig_raw="$( gpg_sig_raw="$(
${GIT_SIG_VERIFY_COMMAND} --verify --status-fd=1 \ gpg --verify --status-fd=1 \
<(printf '%s' "$sig" | openssl base64 -d -A) \ <(printf '%s' "$sig" | openssl base64 -d -A) \
<(printf '%s' "$body") 2>/dev/null \ <(printf '%s' "$body") 2>/dev/null \
)" )"
@ -317,13 +326,7 @@ verify_git_notes(){
verify_git_commit(){ verify_git_commit(){
local -r ref="${1:-HEAD}" local -r ref="${1:-HEAD}"
local gpg_sig_raw local gpg_sig_raw
gpg_sig_raw=$( \ gpg_sig_raw=$(git verify-commit "$ref" --raw 2>&1)
git \
-c "gpg.program=$GIT_SIG_VERIFY_COMMAND" \
verify-commit "$ref" \
--raw \
2>&1 \
)
parse_gpg_status "$gpg_sig_raw" parse_gpg_status "$gpg_sig_raw"
} }
@ -348,7 +351,7 @@ verify(){
local -r group="${2}" local -r group="${2}"
local -r ref=${3:-HEAD} local -r ref=${3:-HEAD}
local sig_count=0 seen_fps fp commit_sig tag_sigs note_sigs local sig_count=0 seen_fps fp commit_sig tag_sigs note_sigs
git rev-parse --git-dir >/dev/null 2>&1 \ [ -d .git ] || [ -L .git ] || [ -f .git ] \
|| die "Error: This folder is not a git repository" || die "Error: This folder is not a git repository"
if [[ $(git diff --stat) != '' ]]; then if [[ $(git diff --stat) != '' ]]; then
die "Error: git tree is dirty" die "Error: git tree is dirty"
@ -384,7 +387,7 @@ verify(){
echo "Error: $error"; echo "Error: $error";
return 1; return 1;
} }
echo "Verified signed git note by \"${uid}\"" echo "Verified signed git note commit by \"${uid}\""
if [[ "${seen_fps}" != *"${fp}"* ]]; then if [[ "${seen_fps}" != *"${fp}"* ]]; then
seen_fps+=" ${fp}" seen_fps+=" ${fp}"
fi fi
@ -420,7 +423,7 @@ get_temp(){
## Add signed tag pointing at this commit. ## Add signed tag pointing at this commit.
## Optionally push to origin. ## Optionally push to origin.
sign_tag(){ sign_tag(){
git rev-parse --git-dir >/dev/null 2>&1 \ [ -d '.git' ] \
|| die "Not a git repository" || die "Not a git repository"
command -v git >/dev/null \ command -v git >/dev/null \
|| die "Git not installed" || die "Git not installed"
@ -440,7 +443,7 @@ sign_tag(){
## Add signed git note to this commit ## Add signed git note to this commit
## Optionally push to origin. ## Optionally push to origin.
sign_note() { sign_note() {
git rev-parse --git-dir >/dev/null 2>&1 \ [ -d '.git' ] \
|| die "Not a git repository" || die "Not a git repository"
command -v git >/dev/null \ command -v git >/dev/null \
|| die "Git not installed" || die "Git not installed"
@ -458,21 +461,17 @@ sign_note() {
[[ "$push" -eq "0" ]] || $PROGRAM push [[ "$push" -eq "0" ]] || $PROGRAM push
} }
## Public Commands ## Public Commands
cmd_remove() {
git notes --ref signatures remove
}
cmd_verify() { cmd_verify() {
local opts threshold=1 remote="origin" group="" method="" diff="" local opts threshold=1 group="" method="" diff=""
opts="$(getopt -o t:g:m:o:d:: -l threshold:,group:,ref:,remote:,diff:: -n "$PROGRAM" -- "$@")" opts="$(getopt -o t:g:m:d:: -l threshold:,group:,ref:,diff:: -n "$PROGRAM" -- "$@")"
eval set -- "$opts" eval set -- "$opts"
while true; do case $1 in while true; do case $1 in
-t|--threshold) threshold="$2"; shift 2 ;; -t|--threshold) threshold="$2"; shift 2 ;;
-g|--group) group="$2"; shift 2 ;; -g|--group) group="$2"; shift 2 ;;
-r|--ref) ref="$2"; shift 2 ;; -r|--ref) ref="$2"; shift 2 ;;
-o|--remote) remote="$2"; shift 2 ;;
-d|--diff) diff="1"; shift 2 ;; -d|--diff) diff="1"; shift 2 ;;
--) shift; break ;; --) shift; break ;;
esac done esac done
@ -499,6 +498,48 @@ cmd_verify() {
return 1 return 1
} }
cmd_fetch() {
local opts group="" group_fps=""
opts="$(getopt -o g: -l group: -n "$PROGRAM" -- "$@")"
eval set -- "$opts"
while true; do case $1 in
-g|--group) group="${2:-1}"; shift 2 ;;
--) shift; break ;;
esac done
[ $# -eq 1 ] || \
die "Usage: $PROGRAM fetch <fingerprint> [-g,--group=<group>]"
local -r fingerprint=${1}
if [ -n "$group" ]; then
group_fps=$(group_get_fps "${group_name}")
if [[ "${group_fps}" == *"${fingerprint}"* ]]; then
echo "Key \"${fingerprint}\" is already in group \"${group}\""
else
group_add_fp "${fingerprint}" "${group}"
fi
fi
gpg --list-keys "${fingerprint}" > /dev/null 2>&1 \
&& echo "Key \"${fingerprint}\" is already in local keychain" \
&& return 0
echo "Requested key is not in keyring. Trying keyservers..."
for server in \
ha.pool.sks-keyservers.net \
hkp://keyserver.ubuntu.com:80 \
hkp://p80.pool.sks-keyservers.net:80 \
pgp.mit.edu \
; do
echo "Fetching key \"${fingerprint}\" from \"${server}\"";
gpg \
--recv-key \
--keyserver "$server" \
--keyserver-options timeout=10 \
--recv-keys "${fingerprint}" \
&& break
done
}
cmd_add(){ cmd_add(){
local opts method="" push="0" local opts method="" push="0"
opts="$(getopt -o m:p:: -l method:,push:: -n "$PROGRAM" -- "$@")" opts="$(getopt -o m:p:: -l method:,push:: -n "$PROGRAM" -- "$@")"
@ -509,44 +550,27 @@ cmd_add(){
--) shift; break ;; --) shift; break ;;
esac done esac done
case $method in case $method in
note) sign_note "$push" ;; git) sign_note "$push" ;;
tag) sign_tag "$push" ;;
*) sign_note "$push" ;; *) sign_note "$push" ;;
esac esac
} }
cmd_push() { cmd_push() {
local opts remote="origin" push="0" [ "$#" -eq 0 ] || { usage push; exit 1; }
opts="$(getopt -o r: -l remote: -n "$PROGRAM" -- "$@")" git fetch origin refs/notes/signatures:refs/notes/origin/signatures
eval set -- "$opts" git notes --ref signatures merge -s cat_sort_uniq origin/signatures
while true; do case $1 in git push --tags origin refs/notes/signatures
-r|--remote) remote="$2"; shift 2 ;;
--) shift; break ;;
esac done
git push --tags "$remote" refs/notes/signatures
}
cmd_pull() {
local opts remote="origin"
opts="$(getopt -o r: -l remote: -n "$PROGRAM" -- "$@")"
eval set -- "$opts"
while true; do case $1 in
-r|--remote) remote="$2"; shift 2 ;;
--) shift; break ;;
esac done
git fetch "$remote" refs/notes/signatures:refs/notes/${remote}/signatures
git notes --ref signatures merge -s cat_sort_uniq "${remote}"/signatures
} }
cmd_version() { cmd_version() {
cat <<-_EOF cat <<-_EOF
========================================== ==============================================
= git-sig: multisig trust for git = = sig: simple multisig trust toolchain =
= = = =
= v0.4 = = v0.2 =
= = = =
= https://codeberg.org/distrust/git-sig = = https://github.com/distrust-foundation/sig =
========================================== ==============================================
_EOF _EOF
} }
@ -554,25 +578,21 @@ cmd_usage() {
cmd_version cmd_version
cat <<-_EOF cat <<-_EOF
Usage: Usage:
git sig add [-m,--method=<note|tag>] [-p,--push] $PROGRAM add [-m,--method=<note|tag>] [-p,--push]
Add signature for this repository Add signature for this repository
git sig remove $PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
Remove all signatures on current ref
git sig verify [-g,--group=<group>] [-t,--threshold=<N>] [d,--diff=<branch>]
Verify m-of-n signatures by given group are present for directory. Verify m-of-n signatures by given group are present for directory.
git sig push [-r,--remote=<remote>] $PROGRAM fetch [-g,--group=<group>]
Push all signatures on current ref Fetch key by fingerprint. Optionally add to group.
git sig pull [-r,--remote=<remote>] $PROGRAM help
Pull all signatures for current ref
git sig help
Show this text. Show this text.
git sig version $PROGRAM version
Show version information. Show version information.
_EOF _EOF
} }
# Verify all tools in this list are installed at needed versions # Verify all tools in this list are installed at needed versions
check_tools git head cut find sort sed getopt openssl ${GIT_SIG_VERIFY_COMMAND} check_tools git head cut find sort sed getopt gpg openssl
# Allow entire script to be namespaced based on filename # Allow entire script to be namespaced based on filename
readonly PROGRAM="${0##*/}" readonly PROGRAM="${0##*/}"
@ -581,9 +601,8 @@ readonly PROGRAM="${0##*/}"
case "$1" in case "$1" in
verify) shift; cmd_verify "$@" ;; verify) shift; cmd_verify "$@" ;;
add) shift; cmd_add "$@" ;; add) shift; cmd_add "$@" ;;
remove) shift; cmd_remove "$@" ;; fetch) shift; cmd_fetch "$@" ;;
push) shift; cmd_push "$@" ;; push) shift; cmd_push "$@" ;;
pull) shift; cmd_pull "$@" ;;
version|--version) shift; cmd_version "$@" ;; version|--version) shift; cmd_version "$@" ;;
help|--help) shift; cmd_usage "$@" ;; help|--help) shift; cmd_usage "$@" ;;
*) cmd_usage "$@" ;; *) cmd_usage "$@" ;;

View File

@ -1,38 +1,38 @@
load test_helper load test_helper
@test "Outputs help if run without arguments" { @test "Outputs help if run without arguments" {
run git-sig run sig
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo "${output}" | grep "multisig trust for git" echo "${output}" | grep "simple multisig trust toolchain"
} }
@test "Outputs help if run with help" { @test "Outputs help if run with help" {
run git-sig help run sig help
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo "${output}" | grep "multisig trust for git" echo "${output}" | grep "simple multisig trust toolchain"
} }
@test "Outputs version if run with version" { @test "Outputs version if run with version" {
run git-sig version run sig version
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo "${output}" | grep "v0.3" echo "${output}" | grep "v0.2"
} }
@test "Outputs advice to install missing openssl" { @test "Outputs advice to install missing openssl" {
sudo rm /usr/bin/openssl sudo rm /usr/bin/openssl
run git-sig version run sig version
echo "${output}" | grep "apt install openssl" echo "${output}" | grep "apt install openssl"
} }
@test "Outputs advice to install missing gpg" { @test "Outputs advice to install missing gpg" {
sudo rm /usr/bin/gpg sudo rm /usr/bin/gpg
run git-sig version run sig version
echo "${output}" | grep "apt install gnupg" echo "${output}" | grep "apt install gnupg"
} }
@test "Outputs advice to install missing getopt" { @test "Outputs advice to install missing getopt" {
sudo rm /usr/bin/getopt sudo rm /usr/bin/getopt
run git-sig version run sig version
echo "${output}" | grep "apt install getopt" echo "${output}" | grep "apt install getopt"
} }
@ -43,26 +43,26 @@ load test_helper
git add . git add .
git commit -m "initial commit" git commit -m "initial commit"
echo "dirty" > somefile echo "dirty" > somefile
run git-sig verify run sig verify
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }
@test "Exit 1 if git method requested but not a repo" { @test "Exit 1 if git method requested but not a repo" {
run git-sig verify run sig verify
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }
@test "Verify succeeds when 1 unique git git-sig requirement is satisfied" { @test "Verify succeeds when 1 unique git sig requirement is satisfied" {
set_identity "user1" set_identity "user1"
echo "test string" > somefile echo "test string" > somefile
git init git init
git add . git add .
git commit -m "initial commit" git commit -m "initial commit"
run git-sig verify run sig verify
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "Verify succeeds when 3 unique git git-sig requirement is satisfied" { @test "Verify succeeds when 3 unique git sig requirement is satisfied" {
git init git init
set_identity "user1" set_identity "user1"
echo "test string 1" > somefile1 echo "test string 1" > somefile1
@ -70,60 +70,60 @@ load test_helper
git commit -m "user1 commit" git commit -m "user1 commit"
set_identity "user2" set_identity "user2"
git log git log
git-sig add sig add
set_identity "user3" set_identity "user3"
git-sig add sig add
run git-sig verify --threshold 3 run sig verify --threshold 3
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "Verify fails when 2 unique git git-sig requirement is not satisfied" { @test "Verify fails when 2 unique git sig requirement is not satisfied" {
git init git init
set_identity "user1" set_identity "user1"
echo "test string 1" > somefile1 echo "test string 1" > somefile1
git add . git add .
git commit -m "user1 commit" git commit -m "user1 commit"
git-sig add sig add
run git-sig verify --threshold 2 run sig verify --threshold 2
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }
@test "Verify succeeds when 1 group git git-sig requirement is satisifed" { @test "Verify succeeds when 1 group git sig requirement is satisifed" {
set_identity "user1" set_identity "user1"
echo "test string" > somefile echo "test string" > somefile
git init git init
git add . git add .
git commit -m "initial commit" git commit -m "initial commit"
git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
run git-sig verify --group maintainers run sig verify --group maintainers
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "Verify succeeds when 3 group git git-sig requirement is satisifed" { @test "Verify succeeds when 3 group git sig requirement is satisifed" {
set_identity "user1" set_identity "user1"
echo "test string" > somefile1 echo "test string" > somefile1
git init git init
git add . git add .
git commit -m "User 1 Commit" git commit -m "User 1 Commit"
set_identity "user2" set_identity "user2"
git-sig add sig add
set_identity "user3" set_identity "user3"
git-sig add sig add
git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
git-sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8 sig fetch --group maintainers BE4D60F6CFD2237A8AF978583C51CADD33BD0EE8
git-sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69 sig fetch --group maintainers 3E45AC9E190B4EE32BAE9F61A331AFB540761D69
run git-sig verify --threshold 3 --group maintainers run sig verify --threshold 3 --group maintainers
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "Verify fails when 2 group git git-sig requirement is not satisifed" { @test "Verify fails when 2 group git sig requirement is not satisifed" {
set_identity "user1" set_identity "user1"
echo "test string" > somefile echo "test string" > somefile
git init git init
git add . git add .
git commit -m "initial commit" git commit -m "initial commit"
git-sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0 sig fetch --group maintainers AE08157232C35F04309FA478C5EBC4A7CF55A2D0
run git-sig verify --threshold 2 --group maintainers run sig verify --threshold 2 --group maintainers
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }
@ -136,14 +136,14 @@ load test_helper
git commit -m "User 1 Commit" git commit -m "User 1 Commit"
set_identity "user2" set_identity "user2"
git-sig add sig add
set_identity "user1" set_identity "user1"
echo "updated test string" > somefile1 echo "updated test string" > somefile1
git add . git add .
git commit -m "User 1 Update Commit" git commit -m "User 1 Update Commit"
run git-sig verify --threshold 2 --ref HEAD~1 run sig verify --threshold 2 --ref HEAD~1
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@ -156,7 +156,7 @@ load test_helper
git commit -m "User 1 Commit" git commit -m "User 1 Commit"
set_identity "user2" set_identity "user2"
git-sig add sig add
set_identity "user1" set_identity "user1"
git checkout -b feature_branch git checkout -b feature_branch
@ -164,7 +164,7 @@ load test_helper
git add . git add .
git commit -m "User 1 Update Commit" git commit -m "User 1 Update Commit"
run git-sig verify --diff --ref master --threshold 2 run sig verify --diff --ref master --threshold 2
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo "${output}" | grep "updated test string" echo "${output}" | grep "updated test string"
} }
@ -178,10 +178,10 @@ load test_helper
git commit -m "User 1 Commit 1" git commit -m "User 1 Commit 1"
set_identity "user2" set_identity "user2"
git-sig add sig add
set_identity "user3" set_identity "user3"
git-sig add sig add
set_identity "user1" set_identity "user1"
echo "test string 2" > testfile echo "test string 2" > testfile
@ -189,7 +189,7 @@ load test_helper
git commit -m "User 1 Commit 2" git commit -m "User 1 Commit 2"
set_identity "user2" set_identity "user2"
git-sig add sig add
set_identity "user1" set_identity "user1"
git checkout -b feature_branch git checkout -b feature_branch
@ -197,7 +197,7 @@ load test_helper
git add . git add .
git commit -m "User 1 Commit 3" git commit -m "User 1 Commit 3"
run git-sig verify --diff --threshold 3 run sig verify --diff --threshold 3
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
echo "${output}" | grep "updated test string" echo "${output}" | grep "updated test string"
} }

View File

@ -8,7 +8,7 @@ setup(){
bin_dir=/tmp/bin bin_dir=/tmp/bin
temp_dir=$(mktemp -d -t test-XXXXXXXXXX) temp_dir=$(mktemp -d -t test-XXXXXXXXXX)
mkdir -p /tmp/bin mkdir -p /tmp/bin
ln -sfn /home/test/sig/git-sig /tmp/bin/git-sig ln -sfn /home/test/sig/sig /tmp/bin/sig
export PATH=${bin_dir}:${PATH} export PATH=${bin_dir}:${PATH}
cd "$temp_dir" || return 1 cd "$temp_dir" || return 1
rm -rf ~/.gnupg rm -rf ~/.gnupg