From efee9553a4f97b2ecd8f49be19606dd4cf7d9c28 Mon Sep 17 00:00:00 2001 From: Michael J Gruber Date: Fri, 17 Jun 2016 19:38:59 -0400 Subject: gpg-interface: check gpg signature creation status When we create a signature, it may happen that gpg returns with "success" but not with an actual detached signature on stdout. Check for the correct signature creation status to catch these cases better. Really, --status-fd parsing is the only way to check gpg status reliably. We do the same for verify already. Signed-off-by: Michael J Gruber Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- gpg-interface.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'gpg-interface.c') diff --git a/gpg-interface.c b/gpg-interface.c index 74f08a2a0e..08356f92e7 100644 --- a/gpg-interface.c +++ b/gpg-interface.c @@ -153,9 +153,11 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig struct child_process gpg = CHILD_PROCESS_INIT; int ret; size_t i, j, bottom; + struct strbuf gpg_status = STRBUF_INIT; argv_array_pushl(&gpg.args, gpg_program, + "--status-fd=2", "-bsau", signing_key, NULL); @@ -167,10 +169,12 @@ int sign_buffer(struct strbuf *buffer, struct strbuf *signature, const char *sig */ sigchain_push(SIGPIPE, SIG_IGN); ret = pipe_command(&gpg, buffer->buf, buffer->len, - signature, 1024, NULL, 0); + signature, 1024, &gpg_status, 0); sigchain_pop(SIGPIPE); - if (ret || signature->len == bottom) + ret |= !strstr(gpg_status.buf, "\n[GNUPG:] SIG_CREATED "); + strbuf_release(&gpg_status); + if (ret) return error(_("gpg failed to sign the data")); /* Strip CR from the line endings, in case we are on Windows. */ -- cgit v1.3