On Thu, Apr 24, 2025 at 1:39 PM Christian Couder
<christian.couder@xxxxxxxxx> wrote:
>
> A recent commit, d9cb0e6ff8 (fast-export, fast-import: add support for
> signed-commits, 2025-03-10), added support for signed commits.
>
> However, when processing signatures `git fast-export` outputs "gpgsig
> sha1" not just when it encounters an OpenPGP SHA-1 signature, but also
> when it encounters an SSH or X.509 signature. This is not very
> informative to say the least, and this might prevent tools that process
> the output from easily and properly handling signatures.
>
> Let's improve on that by reusing the existing code from
> "gpg-interface.{c,h}" to detect the signature algorithm, and then put
> the signature algorithm name (like "openpgp", "x509" or "ssh") instead
> of "sha1" in the output. If we can't detect the signature algorithm we
> will use "unknown". It might be a signature added by an external tool
> and we should likely keep it.
>
> Similarly on the `git fast-import` side, let's use the existing code
> from "gpg-interface.{c,h}" to check if a signature algorithm name is
> valid. In case of an "unknown" signature algorithm name, we will warn
> but still keep it. Future work might implement several options to let
> users deal with it in different ways, and might implement checking
> known signatures too.
The last sentence is somewhat ambiguous about whether it is only about
the "unknown" case or whether the second half of the sentence was
switching tracks to discuss something else about the known cases. Do
you perhaps mean something like "Future work might implement several
options to let users deal with an "unknown" signature algorithm, and
when we have a valid signature algorithm, we may be able to not only
verify the signature algorithm name but start verifying the signature
itself to ensure it is valid as well." ?
> Signed-off-by: Christian Couder <chriscool@xxxxxxxxxxxxx>
> ---
>
> This is a follow up from cc/signed-fast-export-import that was merged
> by 01d17c0530 (Merge branch 'cc/signed-fast-export-import', 2025-03-29)
> and introduced the support for signed commits.
>
> The format that this series implemented was lacking a bit, so the goal
> with this patch is to improve it and handle signed commits a bit more
> consistently in the code base. It also shows in the tests and in our
> documentation that SSH and X.509 signatures are supported.
>
> Documentation/git-fast-export.adoc | 5 +++
> Documentation/git-fast-import.adoc | 15 +++++++-
> builtin/fast-export.c | 8 ++--
> builtin/fast-import.c | 14 ++++---
> gpg-interface.c | 11 ++++++
> gpg-interface.h | 10 +++++
> t/t9350-fast-export.sh | 60 +++++++++++++++++++++++++++++-
> 7 files changed, 112 insertions(+), 11 deletions(-)
>
> diff --git a/Documentation/git-fast-export.adoc b/Documentation/git-fast-export.adoc
> index 413a527496..d03aeca781 100644
> --- a/Documentation/git-fast-export.adoc
> +++ b/Documentation/git-fast-export.adoc
> @@ -54,6 +54,11 @@ of tools that call 'git fast-export' but do not yet support
> '--signed-commits', you may set the environment variable
> 'FAST_EXPORT_SIGNED_COMMITS_NOABORT=1' in order to change the default
> from 'abort' to 'warn-strip'.
> ++
> +When exported, signature starts with "gpgsig <alg>" where <alg> is the
> +signature algorithm name as identified by Git (e.g. "openpgp", "x509",
> +"ssh", or "sha256" for SHA-256 OpenPGP signatures), or "unknown" for
> +signatures that can't be identified.
>
> --tag-of-filtered-object=(abort|drop|rewrite)::
> Specify how to handle tags whose tagged object is filtered out.
> diff --git a/Documentation/git-fast-import.adoc b/Documentation/git-fast-import.adoc
> index 7b107f5e8e..50b6d2cc1d 100644
> --- a/Documentation/git-fast-import.adoc
> +++ b/Documentation/git-fast-import.adoc
> @@ -521,7 +521,20 @@ The optional `gpgsig` command is used to include a PGP/GPG signature
> that signs the commit data.
>
> Here <alg> specifies which hashing algorithm is used for this
> -signature, either `sha1` or `sha256`.
> +signature. Current valid values are:
> +
> +* "openpgp" for SHA-1 OpenPGP signatures,
> +
> +* "sha256" for SHA-256 OpenPGP signatures,
> +
> +* "x509" for X.509 (GPGSM) signatures,
> +
> +* "ssh", for SSH signatures,
> +
> +* "unknown" for signatures that can't be identified (a warning is
> + emitted).
> +
> +Signatures are not yet checked in the current implementation though.
Thanks for calling this out.
> `encoding`
> ^^^^^^^^^^
> diff --git a/builtin/fast-export.c b/builtin/fast-export.c
> index 170126d41a..d00f02dc74 100644
> --- a/builtin/fast-export.c
> +++ b/builtin/fast-export.c
> @@ -29,6 +29,7 @@
> #include "quote.h"
> #include "remote.h"
> #include "blob.h"
> +#include "gpg-interface.h"
>
> static const char *fast_export_usage[] = {
> N_("git fast-export [<rev-list-opts>]"),
> @@ -700,9 +701,10 @@ static void handle_commit(struct commit *commit, struct rev_info *rev,
> }
>
> if (*commit_buffer_cursor == '\n') {
> - if ((signature = find_commit_multiline_header(commit_buffer_cursor + 1, "gpgsig", &commit_buffer_cursor)))
> - signature_alg = "sha1";
> - else if ((signature = find_commit_multiline_header(commit_buffer_cursor + 1, "gpgsig-sha256", &commit_buffer_cursor)))
> + if ((signature = find_commit_multiline_header(commit_buffer_cursor + 1, "gpgsig", &commit_buffer_cursor))) {
> + const char *name = get_signature_name(signature);
> + signature_alg = name ? name : "unknown";
> + } else if ((signature = find_commit_multiline_header(commit_buffer_cursor + 1, "gpgsig-sha256", &commit_buffer_cursor)))
> signature_alg = "sha256";
> }
>
> diff --git a/builtin/fast-import.c b/builtin/fast-import.c
> index 63880b595c..59e991a03c 100644
> --- a/builtin/fast-import.c
> +++ b/builtin/fast-import.c
> @@ -29,6 +29,7 @@
> #include "commit-reach.h"
> #include "khash.h"
> #include "date.h"
> +#include "gpg-interface.h"
>
> #define PACK_ID_BITS 16
> #define MAX_PACK_ID ((1<<PACK_ID_BITS)-1)
> @@ -2830,12 +2831,15 @@ static void parse_new_commit(const char *arg)
> "encoding %s\n",
> encoding);
> if (sig_alg) {
> - if (!strcmp(sig_alg, "sha1"))
> - strbuf_addstr(&new_data, "gpgsig ");
> - else if (!strcmp(sig_alg, "sha256"))
> + if (!strcmp(sig_alg, "sha256"))
> strbuf_addstr(&new_data, "gpgsig-sha256 ");
> - else
> - die("Expected gpgsig algorithm sha1 or sha256, got %s", sig_alg);
> + else if (valid_signature_name(sig_alg))
> + strbuf_addstr(&new_data, "gpgsig ");
> + else if (!strcmp(sig_alg, "unknown")) {
> + warning("Unknown gpgsig algorithm name!");
> + strbuf_addstr(&new_data, "gpgsig ");
> + } else
> + die("Invalid gpgsig algorithm name, got '%s'", sig_alg);
> string_list_split_in_place(&siglines, sig.buf, "\n", -1);
> strbuf_add_separated_string_list(&new_data, "\n ", &siglines);
> strbuf_addch(&new_data, '\n');
I'm not very familiar with gpg and other signatures, and was stuck
trying to parse this logic when a review from Junio came in, and I
decided to read it since he often "thinks out loud" to see if that'd
explain it better. Sadly, didn't help... ;-) But I'll watch for any
follow-up response you add over there.
> diff --git a/gpg-interface.c b/gpg-interface.c
> index 0896458de5..dc6ea904d0 100644
> --- a/gpg-interface.c
> +++ b/gpg-interface.c
> @@ -144,6 +144,17 @@ static struct gpg_format *get_format_by_sig(const char *sig)
> return NULL;
> }
>
> +const char *get_signature_name(const char *buf)
> +{
> + struct gpg_format *format = get_format_by_sig(buf);
> + return format ? format->name : NULL;
> +}
> +
> +int valid_signature_name(const char *name)
> +{
> + return (get_format_by_name(name) != NULL);
> +}
> +
> void signature_check_clear(struct signature_check *sigc)
> {
> FREE_AND_NULL(sigc->payload);
> diff --git a/gpg-interface.h b/gpg-interface.h
> index e09f12e8d0..332707facc 100644
> --- a/gpg-interface.h
> +++ b/gpg-interface.h
> @@ -47,6 +47,16 @@ struct signature_check {
>
> void signature_check_clear(struct signature_check *sigc);
>
> +/*
> + * Return the name of the signature (like "openpgp", "x509" or "ssh").
> + */
> +const char *get_signature_name(const char *buf);
> +
> +/*
> + * Is the signature name valid (like "openpgp", "x509" or "ssh").
> + */
> +int valid_signature_name(const char *name);
> +
> /*
> * Look at a GPG signed tag object. If such a signature exists, store it in
> * signature and the signed content in payload. Return 1 if a signature was
> diff --git a/t/t9350-fast-export.sh b/t/t9350-fast-export.sh
> index dda9e7c3e7..2e2c83d153 100755
> --- a/t/t9350-fast-export.sh
> +++ b/t/t9350-fast-export.sh
> @@ -326,7 +326,7 @@ test_expect_success GPG 'signed-commits=abort' '
> test_expect_success GPG 'signed-commits=verbatim' '
>
> git fast-export --signed-commits=verbatim --reencode=no commit-signing >output &&
> - grep "^gpgsig sha" output &&
> + grep "^gpgsig openpgp" output &&
> grep "encoding ISO-8859-1" output &&
> (
> cd new &&
> @@ -340,7 +340,7 @@ test_expect_success GPG 'signed-commits=verbatim' '
> test_expect_success GPG 'signed-commits=warn-verbatim' '
>
> git fast-export --signed-commits=warn-verbatim --reencode=no commit-signing >output 2>err &&
> - grep "^gpgsig sha" output &&
> + grep "^gpgsig openpgp" output &&
> grep "encoding ISO-8859-1" output &&
> test -s err &&
> (
> @@ -381,6 +381,62 @@ test_expect_success GPG 'signed-commits=warn-strip' '
>
> '
>
> +test_expect_success GPGSM 'setup x509 signed commit' '
> +
> + git checkout -b x509-signing main &&
> + test_config gpg.format x509 &&
> + test_config user.signingkey $GIT_COMMITTER_EMAIL &&
> + echo "x509 content" >file_for_x509 &&
> + git add file_for_x509 &&
> + git commit -S -m "X.509 signed commit" &&
> + X509_COMMIT=$(git rev-parse --verify HEAD) &&
> + git checkout main
> +
> +'
> +
> +test_expect_success GPGSM 'x509 signature identified' '
> +
> + git fast-export --signed-commits=verbatim --reencode=no x509-signing >output 2>err &&
Is --reencode=no important here or does this work with --reencode=yes
as well? (I understand the default being --reencode=abort and fact
that you are reusing an example that used a specialized encoding means
you need to specify something, was just curious if this particular
value was important)
> + grep "^gpgsig x509" output &&
> + test ! -s err &&
> + (
> + cd new &&
> + git fast-import &&
> + STRIPPED=$(git rev-parse --verify refs/heads/x509-signing) &&
> + test $X509_COMMIT = $STRIPPED
Ah, --reencode=no is critical for the test, but only because you are
trying to ensure you get the same commit back. Should there also be a
test for when something is tweaked, such as the encoding, and whether
the signature is still found?
> + ) <output &&
> + test_might_fail git update-ref -d refs/heads/x509-signing
> +
> +'
> +
> +test_expect_success GPGSSH 'setup ssh signed commit' '
> +
> + git checkout -b ssh-signing main &&
> + test_config gpg.format ssh &&
> + test_config user.signingkey "${GPGSSH_KEY_PRIMARY}" &&
> + echo "ssh content" >file_for_ssh &&
> + git add file_for_ssh &&
> + git commit -S -m "SSH signed commit" &&
> + SSH_COMMIT=$(git rev-parse --verify HEAD) &&
> + git checkout main
> +
> +'
> +
> +test_expect_success GPGSSH 'ssh signature identified' '
> +
> + git fast-export --signed-commits=verbatim --reencode=no ssh-signing >output 2>err &&
Out of curiosity, any particular reason to export the entire history
instead of just the new commit you just added (though you'd likely
want --reference-excluded-parents if you did that, which really ought
to be the default)? Anyway...
> + grep "^gpgsig ssh" output &&
> + test ! -s err &&
> + (
> + cd new &&
> + git fast-import &&
> + STRIPPED=$(git rev-parse --verify refs/heads/ssh-signing) &&
> + test "$SSH_COMMIT" = "$STRIPPED"
Looks like your two tests are for different signature types, but as
noted above, I'm kind of curious to see a test covering what happens
when the resulting commit doesn't exactly match the original but still
retains a signature.
> + ) <output &&
> + test_might_fail git update-ref -d refs/heads/ssh-signing
> +
> +'
> +
> test_expect_success 'setup submodule' '
>
> test_config_global protocol.file.allow always &&
> --
> 2.49.0.392.g2fa1c74b07
