Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 570560 - improve git gpg checking message
Summary: improve git gpg checking message
Status: CONFIRMED
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Git (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-02 05:38 UTC by SpanKY
Modified: 2016-01-06 17:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SpanKY gentoo-dev 2016-01-02 05:38:33 UTC 
my signing key expired, so i generated a new one, and updated ldap on the dev box.  but git push is still rejecting me.  last i heard, the git server keyring was manually synced, so can we get this resynced ?

if it is automatic now, can we update the error message to indicate how long one has to wait before it auto-resyncs ?  it would also help if the rejection message indicated *which commit* and *which key* were causing problems.

$ git branch -v
* master a97b5d8 [ahead 4] net-misc/suite3270: version bump to 3.4_p10

$ git config --get user.signingkey
0xC9975267

$ git log --show-signature -4 |& grep ^gpg:
gpg: Signature made Sat 02 Jan 2016 12:28:13 AM EST using RSA key ID C9975267
gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate]
gpg: Signature made Sat 02 Jan 2016 12:27:56 AM EST using RSA key ID C9975267
gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate]
gpg: Signature made Sat 02 Jan 2016 12:27:23 AM EST using RSA key ID C9975267
gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate]
gpg: Signature made Sat 02 Jan 2016 12:26:49 AM EST using RSA key ID C9975267
gpg: Good signature from "Mike Frysinger (Key for signing Gentoo related stuff) <vapier@gentoo.org>" [ultimate]

$ git push --signed
Counting objects: 20, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (20/20), done.
Writing objects: 100% (20/20), 4.56 KiB | 0 bytes/s, done.
Total 20 (delta 16), reused 0 (delta 0)
remote: No signature found
remote: Your push was not signed with a known key.
remote: You must use git push --signed with a known key.
remote: Variable GIT_PUSH_CERT_KEY=''
remote: Variable GIT_PUSH_CERT_NONCE='1451713054-cdcbb439ee4b1c86ac46'
remote: Variable GIT_PUSH_CERT_NONCE_SLOP=''
remote: Variable GIT_PUSH_CERT_NONCE_STATUS='OK'
remote: Variable GIT_PUSH_CERT_SIGNER=''
remote: Variable GIT_PUSH_CERT_STATUS='N'
To ssh://git@git.gentoo.org/repo/gentoo.git
 ! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'ssh://git@git.gentoo.org/repo/gentoo.git'
Comment 1 SpanKY gentoo-dev 2016-01-02 06:05:05 UTC 
looks like it went through now.  so let's go with feature requests:

(1) add to the end of the rejection message something like:
If you just update your key in ldap, then it can take ~15 minutes to sync.
Please consult <wiki page> for more details.

(2) correctly handle unknown keys.  the error just says "remote: No signature found" which is clearly incorrect -- it should say something like:
Signature found with unknown key 0xXXXXXXXX
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2016-01-06 07:28:29 UTC 
(In reply to SpanKY from comment #1)
> (1) add to the end of the rejection message something like:
> If you just update your key in ldap, then it can take ~15 minutes to sync.
> Please consult <wiki page> for more details.
Messsage added.

> (2) correctly handle unknown keys.  the error just says "remote: No
> signature found" which is clearly incorrect -- it should say something like:
> Signature found with unknown key 0xXXXXXXXX
The code DOES correctly handle this. Your commit was NOT signed, as evidenced by Git setting GIT_PUSH_CERT_STATUS=N

I don't know why your 'git push --signed' did not sign it, but it wasn't a server-side error.

Here's the entire script for you (before I changed the message).
=====
#!/bin/sh

# ----------------------------------------------------------------------
# standard stuff
die() { echo "$@" >&2; exit 1; }
warn() { echo "$@" >&2; }

fail_signed_push() {
    warn "$@"
    warn "Your push was not signed with a known key."
    warn "You must use git push --signed with a known key."
    for var in \
        GIT_PUSH_CERT_KEY \
        GIT_PUSH_CERT_NONCE \
        GIT_PUSH_CERT_NONCE_SLOP \
        GIT_PUSH_CERT_NONCE_STATUS \
        GIT_PUSH_CERT_SIGNER \
        GIT_PUSH_CERT_STATUS \
        ; do
    warn "Variable $var='${!var}'"
    done
    exit 1
}

# ----------------------------------------------------------------------
case $GIT_PUSH_CERT_STATUS in
    # Good
    G) ;;
    # Bad
    B) fail_signed_push "Bad signature" ;;
    # Untrusted good
    U) ;; # TODO: deny this later
    #U) fail_signed_push "Good but untrusted signature" ;;
    # No signature
    N) fail_signed_push "No signature found" ;;
    # Future-proof
    *) fail_signed_push "Unknown GIT_PUSH_CERT_STATUS" ;;
esac
exit 0
====
Comment 3 SpanKY gentoo-dev 2016-01-06 17:54:52 UTC 
(In reply to Robin Johnson from comment #2)

i'm pretty sure it was signed.  i ran a script:
  while ! git push --signed ; do sleep 5m ; done

it failed a few times before working.  i doubt something on my side randomly started signing.