From 8ca64c3440cd0d0aa4ceedc929edf1aebef8d265 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= Date: Fri, 27 Nov 2020 13:35:54 +0100 Subject: [PATCH] Fix signature check for git tags --- .../main/java/sonia/scm/repository/GitUtil.java | 4 +++- .../scm/repository/spi/GitTagsCommandTest.java | 15 +++------------ 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/repository/GitUtil.java b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/repository/GitUtil.java index 5650f59938..72d74803d8 100644 --- a/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/repository/GitUtil.java +++ b/scm-plugins/scm-git-plugin/src/main/java/sonia/scm/repository/GitUtil.java @@ -65,6 +65,7 @@ import javax.servlet.http.HttpServletRequest; import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.util.Arrays; import java.util.Collections; import java.util.Map; import java.util.Optional; @@ -637,7 +638,8 @@ public final class GitUtil { PublicKey publicKey = publicKeyById.get(); - boolean verified = publicKey.verify(messageBytes, signature.getBytes()); + String rawMessage = message.substring(0, signatureStartIndex); + boolean verified = publicKey.verify(rawMessage.getBytes(), signature.getBytes()); return Optional.of(new Signature( publicKeyId, "gpg", diff --git a/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/repository/spi/GitTagsCommandTest.java b/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/repository/spi/GitTagsCommandTest.java index f93fd801c1..fa20318e15 100644 --- a/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/repository/spi/GitTagsCommandTest.java +++ b/scm-plugins/scm-git-plugin/src/test/java/sonia/scm/repository/spi/GitTagsCommandTest.java @@ -30,6 +30,7 @@ import org.junit.runner.RunWith; import org.mockito.ArgumentMatchers; import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; +import sonia.scm.repository.SignatureStatus; import sonia.scm.repository.Tag; import sonia.scm.security.GPG; import sonia.scm.security.PublicKey; @@ -89,18 +90,7 @@ public class GitTagsCommandTest extends AbstractGitCommandTestBase { "tag signedtag\n" + "tagger Arthur Dent 1606248906 +0100\n" + "\n" + - "this tag is signed\n" + - "-----BEGIN PGP SIGNATURE-----\n" + - "\n" + - "iQEzBAABCgAdFiEEK6J3IfETwAXMFvBrrmPvvEnxQM8FAl+9acoACgkQrmPvvEnx\n" + - "QM9abwgAnGP+Y/Ijli+PAsimfOmZQWYepjptoOv9m7i3bnHv8V+Qg6cm51I3E0YV\n" + - "R2QaxxzW9PgS4hcES+L1qs8Lwo18RurF469eZEmNb8DcUFJ3sEWeHlIl5wZNNo/v\n" + - "jJm0d9LNcSmtAIiQ8eDMoGdFXJzHewGickLOSsQGmfZgZus4Qlsh7r3BZTI1Zwd/\n" + - "6jaBFctX13FuepCTxq2SjEfRaQHIYkyFQq2o6mjL5S2qfYJ/S//gcCCzxllQrisF\n" + - "5fRW3LzLI4eXFH0vua7+UzNS2Rwpifg2OENJA/Kn+3R36LWEGxFK9pNqjVPRAcQj\n" + - "1vSkcjK26RqhAqCjNLSagM8ATZrh+g==\n" + - "=kUKm\n" + - "-----END PGP SIGNATURE-----\n"; + "this tag is signed\n"; when(publicKey.verify(signedContent.getBytes(), signature.getBytes())).thenReturn(true); final GitContext gitContext = createContext(); @@ -111,6 +101,7 @@ public class GitTagsCommandTest extends AbstractGitCommandTestBase { Tag signedTag = tags.get(1); assertThat(signedTag.getSignatures()).isNotEmpty(); + assertThat(signedTag.getSignatures().get(0).getStatus()).isEqualTo(SignatureStatus.VERIFIED); } @Override