Package: git
Version: 1:2.11.0-3+deb9u2
Severity: normal
Dear Maintainer,
one for upstream:
git verify-commit has an interesting and unexpected behaviour.
That is, setting gpg.program I can instruct git to use that program for
gpg actions. According to manpage:
gpg.program
Use this custom program instead of "gpg" found on $PATH
when making or verifying a PGP signature. The program
must support the same command-line interface as GPG,
namely, to verify a detached signature, "gpg --verify
$file - <$signature" is run, and the program is expected
to signal a good signature by exiting with code 0, and
to generate an ASCII-armored detached signature, the
standard input of "gpg -bsau $key" is fed with the
contents to be signed, and the program is expected to
send the result to its standard output.
One would expect that exit 0 for a verify means "This signature is
fine".
For gpg verify-commit that DOES NOT MATTER. You can exit 1, and it happily
goes of saying all is fine. YOu can exit 0 and it happily goes of saying
"bad, broken".
It MUST HAVE gnupg status like output on stdout and goes to parse it.
So if you send it a line of (with a trailing space)
[GNUPG:] GOODSIG
it will ALWAYS exit 0, no matter what your actual gpg.program said.
If you do not send this (or anything at all), it ALWAYS exit 1.
This is wrong according to the manpage. If i set gpg.program, exit 0 of
that means "sig is good". Not "parse some random text somewhere and see
yourself" magic.
--
bye, Joerg
