A signed tag has a detached signature like this:
object ...
[...more header...]
This is the tag body.
-----BEGIN PGP SIGNATURE-----
[opaque gpg data]
-----END PGP SIGNATURE-----
Our parser finds the _first_ line that appears to start a
PGP signature block, meaning we may be confused by a
signature (or a signature-like line) in the actual body.
Let's keep parsing and always find the final block, which
should be the detached signature over all of the preceding
content.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Ben Toews <mastahyeti@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
size_t parse_signature(const char *buf, size_t size)
{
size_t len = 0;
- while (len < size && !is_gpg_start(buf + len)) {
- const char *eol = memchr(buf + len, '\n', size - len);
+ size_t match = size;
+ while (len < size) {
+ const char *eol;
+
+ if (is_gpg_start(buf + len))
+ match = len;
+
+ eol = memchr(buf + len, '\n', size - len);
len += eol ? eol - (buf + len) + 1 : size - len;
}
- return len;
+ return match;
}
void set_signing_key(const char *key)
git tag -v blanknonlfile-signed-tag
'
+test_expect_success GPG 'signed tag with embedded PGP message' '
+ cat >msg <<-\EOF &&
+ -----BEGIN PGP MESSAGE-----
+
+ this is not a real PGP message
+ -----END PGP MESSAGE-----
+ EOF
+ git tag -s -F msg confusing-pgp-message &&
+ git tag -v confusing-pgp-message
+'
+
# messages with commented lines for signed tags:
cat >sigcommentsfile <<EOF
projects / git / commitdiff