test: add commit signing

kuwv · kuwv · commit 5749d4a492ba · 2022-05-05T11:21:45.000-04:00
docs: add commit signing recipe

test: cleanup unzipped cruft

test: additional housekeeping

test: additional housekeeping
diff --git a/docs/recipes/git-commit.rst b/docs/recipes/git-commit.rst
@@ -52,6 +52,61 @@ The rest is the same:
     >>> tree = index.write_tree()
     >>> repo.create_commit(ref, author, committer, message, tree, parents)
 
+
+----------------------------------------------------------------------
+Signing a commit
+----------------------------------------------------------------------
+
+Add everything, and commit with a GPG signature:
+
+.. code-block:: bash
+
+    $ git add .
+    $ git commit -S -m "Signed commit"
+
+.. code-block:: python
+
+    >>> index = repo.index
+    >>> index.add_all()
+    >>> index.write()
+    >>> author = Signature('Alice Author', 'alice@authors.tld')
+    >>> committer = Signature('Cecil Committer', 'cecil@committers.tld')
+    >>> message = "Signed commit"
+    >>> tree = index.write_tree()
+    >>> parents = []
+    >>> commit_string = repo.create_commit_string(
+    >>>     author, committer, message, tree, parents
+    >>> )
+
+The ``commit_string`` can then be signed by a third party library:
+
+.. code-block:: python
+    >>> gpg = YourGPGToolHere()
+    >>> signed_commit = gpg.sign(
+    >>>     commit_string,
+    >>>     passphrase='secret',
+    >>>     detach=True,
+    >>> )
+
+.. note::
+    The commit signature should resemble:
+
+    .. code-block:: none
+        >>> -----BEGIN PGP SIGNATURE-----
+        >>>
+        >>> < base64 encoded hash here >
+        >>> -----END PGP SIGNATURE-----
+
+The signed commit can then be added to the branch:
+
+.. code-block:: python
+
+    >>> commit = repo.create_commit_with_signature(
+    >>>     commit_string, signed_commit.data.decode('utf-8')
+    >>> )
+    >>> repo.head.set_target(commit)
+
+
 ----------------------------------------------------------------------
 References
 ----------------------------------------------------------------------
diff --git a/test/conftest.py b/test/conftest.py
@@ -53,6 +53,7 @@ def emptyrepo(tmp_path):
     with utils.TemporaryRepository('emptyrepo.zip', tmp_path) as path:
         yield pygit2.Repository(path)
 
+
 @pytest.fixture
 def encodingrepo(tmp_path):
     with utils.TemporaryRepository('encoding.zip', tmp_path) as path:
@@ -81,3 +82,9 @@ def testrepo_path(tmp_path):
 def testrepopacked(tmp_path):
     with utils.TemporaryRepository('testrepopacked.zip', tmp_path) as path:
         yield pygit2.Repository(path)
+
+
+@pytest.fixture
+def gpgsigned(tmp_path):
+    with utils.TemporaryRepository('gpgsigned.zip', tmp_path) as path:
+        yield pygit2.Repository(path)
diff --git a/test/data/gpgsigned.zip b/test/data/gpgsigned.zip
diff --git a/test/test_commit_gpg.py b/test/test_commit_gpg.py
@@ -1,4 +1,4 @@
-# Copyright 2010-2021 The pygit2 contributors
+# Copyright 2010-2022 The pygit2 contributors
 #
 # This file is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2,
@@ -23,49 +23,120 @@
 # the Free Software Foundation, 51 Franklin Street, Fifth Floor,
 # Boston, MA 02110-1301, USA.
 
-import pygit2
-import pytest
+from pygit2 import GIT_OBJ_COMMIT, Oid, Signature
 
-from . import utils
+content = """\
+tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
+parent 8496071c1b46c854b31185ea97743be6a8774479
+author Ben Burkert <ben@benburkert.com> 1358451456 -0800
+committer Ben Burkert <ben@benburkert.com> 1358451456 -0800
 
+a simple commit which works\
+"""
 
-@pytest.fixture
-def repo(tmp_path):
-    with utils.TemporaryRepository('gpgsigned.zip', tmp_path) as path:
-        yield pygit2.Repository(path)
+gpgsig = """\
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.12 (Darwin)
 
+iQIcBAABAgAGBQJQ+FMIAAoJEH+LfPdZDSs1e3EQAJMjhqjWF+WkGLHju7pTw2al
+o6IoMAhv0Z/LHlWhzBd9e7JeCnanRt12bAU7yvYp9+Z+z+dbwqLwDoFp8LVuigl8
+JGLcnwiUW3rSvhjdCp9irdb4+bhKUnKUzSdsR2CK4/hC0N2i/HOvMYX+BRsvqweq
+AsAkA6dAWh+gAfedrBUkCTGhlNYoetjdakWqlGL1TiKAefEZrtA1TpPkGn92vbLq
+SphFRUY9hVn1ZBWrT3hEpvAIcZag3rTOiRVT1X1flj8B2vGCEr3RrcwOIZikpdaW
+who/X3xh/DGbI2RbuxmmJpxxP/8dsVchRJJzBwG+yhwU/iN3MlV2c5D69tls/Dok
+6VbyU4lm/ae0y3yR83D9dUlkycOnmmlBAHKIZ9qUts9X7mWJf0+yy2QxJVpjaTGG
+cmnQKKPeNIhGJk2ENnnnzjEve7L7YJQF6itbx5VCOcsGh3Ocb3YR7DMdWjt7f8pu
+c6j+q1rP7EpE2afUN/geSlp5i3x8aXZPDj67jImbVCE/Q1X9voCtyzGJH7MXR0N9
+ZpRF8yzveRfMH8bwAJjSOGAFF5XkcR/RNY95o+J+QcgBLdX48h+ZdNmUf6jqlu3J
+7KmTXXQcOVpN6dD3CmRFsbjq+x6RHwa8u1iGn+oIkX908r97ckfB/kHKH7ZdXIJc
+cpxtDQQMGYFpXK/71stq
+=ozeK
+-----END PGP SIGNATURE-----\
+"""
 
-def test_get_gpg_signature_when_signed(repo):
-    signed_hash = 'a00b212d5455ad8c4c1779f778c7d2a81bb5da23'
-    expected_signature = (
-        '-----BEGIN PGP SIGNATURE-----\n\n'
-        'iQFGBAABCgAwFiEEQZu9JtePgJbDk7VC0+mlK74z13oFAlpzXykSHG1hcmtAbWFy\n'
-        'a2FkYW1zLm1lAAoJENPppSu+M9d6FRoIAJXeQRRT1V47nnHITiel6426loYkeij7\n'
-        '66doGNIyll95H92SwH4LAjPyEEByIG1VsA6NztzUoNgnEvAXI0iAz3LyI7N16M4b\n'
-        'dPDkC72pp8tu280H5Qt5b2V5hmlKKSgtOS5iNhdU/FbWVS8MlHsqzQTZfoTdi6ch\n'
-        'KWUsjzudVd3F/H/AU+1Jsxt8Iz/oK4T/puUQLnJZKjKlljGP994FA3JIpnZpZmbG\n'
-        'FybYJEDXnng7uhx3Fz/Mo3KBJoQfAExTtaToY0n0hSjOe6GN9rEsRSMK3mWdysf2\n'
-        'wOdtYMMcT16hG5tAwnD/myZ4rIIpyZJ/9mjymdUsj6UKf7D+vJuqfsI=\n=IyYy\n'
-        '-----END PGP SIGNATURE-----'
-    ).encode('ascii')
+gpgsig_content = """\
+tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
+parent 8496071c1b46c854b31185ea97743be6a8774479
+author Ben Burkert <ben@benburkert.com> 1358451456 -0800
+committer Ben Burkert <ben@benburkert.com> 1358451456 -0800
+gpgsig -----BEGIN PGP SIGNATURE-----
+ Version: GnuPG v1.4.12 (Darwin)
+ 
+ iQIcBAABAgAGBQJQ+FMIAAoJEH+LfPdZDSs1e3EQAJMjhqjWF+WkGLHju7pTw2al
+ o6IoMAhv0Z/LHlWhzBd9e7JeCnanRt12bAU7yvYp9+Z+z+dbwqLwDoFp8LVuigl8
+ JGLcnwiUW3rSvhjdCp9irdb4+bhKUnKUzSdsR2CK4/hC0N2i/HOvMYX+BRsvqweq
+ AsAkA6dAWh+gAfedrBUkCTGhlNYoetjdakWqlGL1TiKAefEZrtA1TpPkGn92vbLq
+ SphFRUY9hVn1ZBWrT3hEpvAIcZag3rTOiRVT1X1flj8B2vGCEr3RrcwOIZikpdaW
+ who/X3xh/DGbI2RbuxmmJpxxP/8dsVchRJJzBwG+yhwU/iN3MlV2c5D69tls/Dok
+ 6VbyU4lm/ae0y3yR83D9dUlkycOnmmlBAHKIZ9qUts9X7mWJf0+yy2QxJVpjaTGG
+ cmnQKKPeNIhGJk2ENnnnzjEve7L7YJQF6itbx5VCOcsGh3Ocb3YR7DMdWjt7f8pu
+ c6j+q1rP7EpE2afUN/geSlp5i3x8aXZPDj67jImbVCE/Q1X9voCtyzGJH7MXR0N9
+ ZpRF8yzveRfMH8bwAJjSOGAFF5XkcR/RNY95o+J+QcgBLdX48h+ZdNmUf6jqlu3J
+ 7KmTXXQcOVpN6dD3CmRFsbjq+x6RHwa8u1iGn+oIkX908r97ckfB/kHKH7ZdXIJc
+ cpxtDQQMGYFpXK/71stq
+ =ozeK
+ -----END PGP SIGNATURE-----
 
-    expected_payload = (
-        'tree c36c20831e43e5984c672a714661870b67ab1d95\nauthor Mark Adams '
-        '<madams@atlassian.com> 1517510299 -0600\ncommitter Mark Adams <ma'
-        'dams@atlassian.com> 1517510441 -0600\n\nMaking a GPG signed commi'
-        't\n'
-    ).encode('ascii')
+a simple commit which works\
+"""
+# NOTE: ^^^ mind the gap (space must exist after GnuPG header) ^^^
+# XXX: seems macos wants the space while linux does not
 
-    commit = repo.get(signed_hash)
+
+def test_commit_signing(gpgsigned):
+    repo = gpgsigned
+    message = "a simple commit which works"
+    author = Signature(
+        name="Ben Burkert",
+        email="ben@benburkert.com",
+        time=1358451456,
+        offset=-480,
+    )
+    committer = Signature(
+        name="Ben Burkert",
+        email="ben@benburkert.com",
+        time=1358451456,
+        offset=-480,
+    )
+    tree = "4b825dc642cb6eb9a060e54bf8d69288fbee4904"
+    parents = ["8496071c1b46c854b31185ea97743be6a8774479"]
+
+    # create commit string
+    commit_string = repo.create_commit_string(
+        author, committer, message, tree, parents
+    )
+    assert commit_string == content
+
+    # create/retrieve signed commit
+    oid = repo.create_commit_with_signature(content, gpgsig)
+    commit = repo.get(oid)
     signature, payload = commit.gpg_signature
 
-    assert signature == expected_signature
-    assert payload == expected_payload
+    # validate signed commit
+    assert content == payload.decode("utf-8")
+    assert gpgsig == signature.decode("utf-8")
+    assert gpgsig_content == commit.read_raw().decode("utf-8")
+
+    # perform sanity checks
+    assert GIT_OBJ_COMMIT == commit.type
+    assert "6569fdf71dbd99081891154641869c537784a3ba" == commit.hex
+    assert commit.message_encoding is None
+    assert message == commit.message
+    assert 1358451456 == commit.commit_time
+    assert committer == commit.committer
+    assert author == commit.author
+    assert tree == commit.tree.hex
+    assert Oid(hex=tree) == commit.tree_id
+    assert 1 == len(commit.parents)
+    assert parents[0] == commit.parents[0].hex
+    assert Oid(hex=parents[0]) == commit.parent_ids[0]
+
 
+def test_get_gpg_signature_when_unsigned(gpgsigned):
+    unhash = "5b5b025afb0b4c913b4c338a42934a3863bf3644"
 
-def test_get_gpg_signature_when_unsigned(repo):
-    unsigned_hash = 'a84938d1d885e80dae24b86b06621cec47ff6edd'
-    commit = repo.get(unsigned_hash)
+    repo = gpgsigned
+    commit = repo.get(unhash)
     signature, payload = commit.gpg_signature
 
     assert signature is None
