From ddd7c7ab12a25850e96f550567ef06fb9bea0cc0 Mon Sep 17 00:00:00 2001 From: Justin Tobler Date: Thu, 26 Mar 2026 14:14:14 -0500 Subject: fast-import: add 'abort-if-invalid' mode to '--signed-tags=' In git-fast-import(1), the 'abort-if-invalid' mode for the '--signed-commits' option verifies commit signatures during import and aborts the entire operation when verification fails. Extend the same behavior to signed tag objects by introducing an 'abort-if-invalid' mode for the '--signed-tags' option. Signed-off-by: Justin Tobler Signed-off-by: Junio C Hamano --- t/t9306-fast-import-signed-tags.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 't') diff --git a/t/t9306-fast-import-signed-tags.sh b/t/t9306-fast-import-signed-tags.sh index bb4c8008ef..ec2b241cdb 100755 --- a/t/t9306-fast-import-signed-tags.sh +++ b/t/t9306-fast-import-signed-tags.sh @@ -77,7 +77,7 @@ test_expect_success GPGSSH 'import SSH signed tag with --signed-tags=strip' ' test_grep ! "SSH SIGNATURE" out ' -for mode in strip-if-invalid sign-if-invalid +for mode in strip-if-invalid sign-if-invalid abort-if-invalid do test_expect_success GPG "import tag with no signature with --signed-tags=$mode" ' test_when_finished rm -rf import && @@ -112,6 +112,14 @@ do # `data ` command would have to be changed too. sed "s/OpenPGP signed tag/OpenPGP forged tag/" output >modified && + if test "$mode" = abort-if-invalid + then + test_must_fail git -C import fast-import --quiet \ + --signed-tags=$mode log 2>&1 && + test_grep "aborting due to invalid signature" log && + return 0 + fi && + git -C import fast-import --quiet --signed-tags=$mode log 2>&1 && IMPORTED=$(git -C import rev-parse --verify refs/tags/openpgp-signed) && -- cgit v1.3-5-g9baa