/* * Copyright (C) 2021, Thomas Wolf and others * * This program and the accompanying materials are made available under the * terms of the Eclipse Distribution License v. 1.0 which is available at * https://www.eclipse.org/org/documents/edl-v10.php. * * SPDX-License-Identifier: BSD-3-Clause */ package org.eclipse.jgit.lib; import java.io.IOException; import java.util.Date; import org.eclipse.jgit.annotations.NonNull; import org.eclipse.jgit.annotations.Nullable; import org.eclipse.jgit.api.errors.JGitInternalException; import org.eclipse.jgit.revwalk.RevObject; /** * A {@code GpgVerifier} can verify GPG signatures on git commits and tags. * * @since 5.11 */ public interface GpgSignatureVerifier { /** * Verifies the signature on a signed commit or tag. * * @param object * to verify * @param config * the {@link GpgConfig} to use * @return a {@link SignatureVerification} describing the outcome of the * verification, or {@code null} if the object was not signed * @throws IOException * if an error occurs getting a public key * @throws org.eclipse.jgit.api.errors.JGitInternalException * if signature verification fails */ @Nullable SignatureVerification verifySignature(@NonNull RevObject object, @NonNull GpgConfig config) throws IOException; /** * Verifies a given signature for given data. * * @param data * the signature is for * @param signatureData * the ASCII-armored signature * @return a {@link SignatureVerification} describing the outcome * @throws IOException * if the signature cannot be parsed * @throws JGitInternalException * if signature verification fails */ public SignatureVerification verify(byte[] data, byte[] signatureData) throws IOException; /** * Retrieves the name of this verifier. This should be a short string * identifying the engine that verified the signature, like "gpg" if GPG is * used, or "bc" for a BouncyCastle implementation. * * @return the name */ @NonNull String getName(); /** * A {@link GpgSignatureVerifier} may cache public keys to speed up * verifying signatures on multiple objects. This clears this cache, if any. */ void clear(); /** * A {@code SignatureVerification} returns data about a (positively or * negatively) verified signature. */ interface SignatureVerification { // Data about the signature. @NonNull Date getCreationDate(); // Data from the signature used to find a public key. /** * Obtains the signer as stored in the signature, if known. * * @return the signer, or {@code null} if unknown */ String getSigner(); /** * Obtains the short or long fingerprint of the public key as stored in * the signature, if known. * * @return the fingerprint, or {@code null} if unknown */ String getKeyFingerprint(); // Some information about the found public key. /** * Obtains the OpenPGP user ID associated with the key. * * @return the user id, or {@code null} if unknown */ String getKeyUser(); /** * Tells whether the public key used for this signature verification was * expired when the signature was created. * * @return {@code true} if the key was expired already, {@code false} * otherwise */ boolean isExpired(); /** * Obtains the trust level of the public key used to verify the * signature. * * @return the trust level */ @NonNull TrustLevel getTrustLevel(); // The verification result. /** * Tells whether the signature verification was successful. * * @return {@code true} if the signature was verified successfully; * {@code false} if not. */ boolean getVerified(); /** * Obtains a human-readable message giving additional information about * the outcome of the verification. * * @return the message, or {@code null} if none set. */ String getMessage(); } /** * The owner's trust in a public key. */ enum TrustLevel { UNKNOWN, NEVER, MARGINAL, FULL, ULTIMATE } }