Only use git verify-tag when verifying annotated tags (#26414)

* Only use `git verify-tag` when verifying annotated tags The command `git verify-tag` only applies to annotated tags. When verifying lightweight tags, which are more similar to non-moving branches, one has to use `git verify-commit` instead. Using ':' as a separator is appropriate since that is one of the characters not allowed in a Git reference name. See also https://www.kernel.org/pub/software/scm/git/docs/git-check-ref-format.html * Improve testing of the Git module's gpg verification
2026-05-08 06:12:51 +00:00 · 2017-07-19 17:30:12 +02:00
parent 779d05aec4
commit 593297d7a2
5 changed files with 248 additions and 63 deletions
--- a/test/integration/targets/git/tasks/gpg-verification.yml
+++ b/test/integration/targets/git/tasks/gpg-verification.yml
@@ -0,0 +1,187 @@
+---
+# Test for verification of GnuPG signatures
+
+- name: Create GnuPG verification workdir
+  tempfile:
+    state: directory
+  register: git_gpg_workdir
+
+- name: Define variables based on workdir
+  set_fact:
+    git_gpg_keyfile: "{{ git_gpg_workdir.path }}/testkey.asc"
+    git_gpg_source: "{{ git_gpg_workdir.path }}/source"
+    git_gpg_dest: "{{ git_gpg_workdir.path }}/dest"
+    git_gpg_gpghome: "{{ git_gpg_workdir.path }}/gpg"
+
+- name: Temporary store GnuPG test key
+  copy:
+    content: "{{ git_gpg_testkey }}"
+    dest: "{{ git_gpg_keyfile }}"
+
+- name: Create temporary GNUPGHOME directory
+  file:
+    path: "{{ git_gpg_gpghome }}"
+    state: directory
+    mode: 0700
+
+- name: Import GnuPG test key
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  command: gpg --import {{ git_gpg_keyfile }}
+
+- name: Create local GnuPG signed repository directory
+  file:
+    path: "{{ git_gpg_source }}"
+    state: directory
+
+- name: Generate local GnuPG signed repository
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  shell: |
+    set -e
+    git init
+    touch an_empty_file
+    git add an_empty_file
+    git commit --no-gpg-sign --message "Commit, and don't sign"
+    git tag lightweight_tag/unsigned_commit HEAD
+    git commit --allow-empty --gpg-sign --message "Commit, and sign"
+    git tag lightweight_tag/signed_commit HEAD
+    git tag --annotate --message "This is not a signed tag" unsigned_annotated_tag HEAD
+    git commit --allow-empty --gpg-sign --message "Commit, and sign"
+    git tag --sign --message "This is a signed tag" signed_annotated_tag HEAD
+    git checkout -b some_branch/signed_tip master
+    git commit --allow-empty --gpg-sign --message "Commit, and sign"
+    git checkout -b another_branch/unsigned_tip master
+    git commit --allow-empty --no-gpg-sign --message "Commit, and don't sign"
+    git checkout master
+  args:
+    chdir: "{{ git_gpg_source }}"
+
+- name: Get hash of an unsigned commit
+  command: git show-ref --hash --verify refs/tags/lightweight_tag/unsigned_commit
+  args:
+    chdir: "{{ git_gpg_source }}"
+  register: git_gpg_unsigned_commit
+
+- name: Get hash of a signed commit
+  command: git show-ref --hash --verify refs/tags/lightweight_tag/signed_commit
+  args:
+    chdir: "{{ git_gpg_source }}"
+  register: git_gpg_signed_commit
+
+- name: Clone repo and verify signed HEAD
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    verify_commit: yes
+
+- name: Clone repo and verify a signed lightweight tag
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: lightweight_tag/signed_commit
+    verify_commit: yes
+
+- name: Clone repo and verify an unsigned lightweight tag (should fail)
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: lightweight_tag/unsigned_commit
+    verify_commit: yes
+  register: git_verify
+  ignore_errors: yes
+
+- name: Check that unsigned lightweight tag verification failed
+  assert:
+    that:
+      - git_verify|failed
+      - git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
+
+- name: Clone repo and verify a signed commit
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: "{{ git_gpg_signed_commit.stdout }}"
+    verify_commit: yes
+
+- name: Clone repo and verify an unsigned commit
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: "{{ git_gpg_unsigned_commit.stdout }}"
+    verify_commit: yes
+  register: git_verify
+  ignore_errors: yes
+
+- name: Check that unsigned commit verification failed
+  assert:
+    that:
+      - git_verify|failed
+      - git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
+
+- name: Clone repo and verify a signed annotated tag
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: signed_annotated_tag
+    verify_commit: yes
+
+- name: Clone repo and verify an unsigned annotated tag (should fail)
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: unsigned_annotated_tag
+    verify_commit: yes
+  register: git_verify
+  ignore_errors: yes
+
+- name: Check that unsigned annotated tag verification failed
+  assert:
+    that:
+      - git_verify|failed
+      - git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
+
+- name: Clone repo and verify a signed branch
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: some_branch/signed_tip
+    verify_commit: yes
+
+- name: Clone repo and verify an unsigned branch (should fail)
+  environment:
+    - GNUPGHOME: "{{ git_gpg_gpghome }}"
+  git:
+    repo: "{{ git_gpg_source }}"
+    dest: "{{ git_gpg_dest }}"
+    version: another_branch/unsigned_tip
+    verify_commit: yes
+  register: git_verify
+  ignore_errors: yes
+
+- name: Check that unsigned branch verification failed
+  assert:
+    that:
+      - git_verify|failed
+      - git_verify.msg|match("Failed to verify GPG signature of commit/tag.+")
+
+- name: Remove GnuPG verification workdir
+  file:
+    path: "{{ git_gpg_workdir.path }}"
+    state: absent
--- a/test/integration/targets/git/tasks/main.yml
+++ b/test/integration/targets/git/tasks/main.yml
@@ -27,7 +27,11 @@
 - include: change-repo-url.yml
 - include: depth.yml
 - include: checkout-new-tag.yml
- include: tag-verification.yml
+- include: gpg-verification.yml
+  when: >
+    not gpg_version.stderr and
+    gpg_version.stdout and
+    git_version.stdout | version_compare("2.1.0", '>=')
 - include: localmods.yml
 - include: reset-origin.yml
 - include: ambiguous-ref.yml
--- a/test/integration/targets/git/tasks/tag-verification.yml
+++ b/test/integration/targets/git/tasks/tag-verification.yml
@@ -1,57 +0,0 @@
---
-  # Test for tag verification
-  # clone a repo checkout signed tag, verify tag
-
- name: Import Jamie Evans GPG key
-  command: gpg --keyserver keyserver.ubuntu.com --recv-key 61107C8E
-  when: >
-    not gpg_version.stderr and
-    gpg_version.stdout and
-    (git_version.stdout | version_compare("2.1.0", '>=') or
-    gpg_version.stdout | version_compare("1.4.16", '>='))
-  
- name: Copy ownertrust
-  copy: "content='2D55902D66FEEBCEA4447C93E79A36DA61107C8E:6:\n' dest=/tmp/ownertrust-git.txt"
-  when: >
-    not gpg_version.stderr and
-    gpg_version.stdout and
-    (git_version.stdout | version_compare("2.1.0", '>=') or
-    gpg_version.stdout | version_compare("1.4.16", '>='))
-
- name: Import ownertrust
-  command: gpg --import-ownertrust /tmp/ownertrust-git.txt
-  when: >
-    not gpg_version.stderr and
-    gpg_version.stdout and
-    (git_version.stdout | version_compare("2.1.0", '>=') or
-    gpg_version.stdout | version_compare("1.4.16", '>='))
-
- name: Clone signed repo and verify tag
-  git: repo={{ repo_verify }} dest={{ checkout_dir }} version=v0.0 verify_commit=yes
-  when: >
-    not gpg_version.stderr and
-    gpg_version.stdout and
-    (git_version.stdout | version_compare("2.1.0", '>=') or
-    gpg_version.stdout | version_compare("1.4.16", '>='))
-
- name: Remove Jamie Evans GPG key
-  command: gpg --batch --yes --delete-key 61107C8E
-  when: >
-    not gpg_version.stderr and
-    gpg_version.stdout and
-    (git_version.stdout | version_compare("2.1.0", '>=') or
-    gpg_version.stdout | version_compare("1.4.16", '>='))
-
- name: Clean up files
-  file: path="{{ item }}" state=absent
-  with_items:
-    - "{{ checkout_dir }}"
-    - /tmp/ownertrust-git.txt
-  when: >
-    not gpg_version.stderr and
-    gpg_version.stdout and
-    (git_version.stdout | version_compare("2.1.0", '>=') or
-    gpg_version.stdout | version_compare("1.4.16", '>='))
-
- name: clear checkout_dir
-  file: state=absent path={{ checkout_dir }}