1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
/*
* Copyright (C) 2021, 2024 Thomas Wolf <twolf@apache.org> and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Distribution License v. 1.0 which is available at
* https://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
package org.eclipse.jgit.lib;
import java.io.IOException;
import java.util.Date;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.annotations.Nullable;
import org.eclipse.jgit.api.errors.JGitInternalException;
import org.eclipse.jgit.revwalk.RevObject;
/**
* A {@code GpgSignatureVerifier} can verify GPG signatures on git commits and
* tags.
*
* @since 5.11
*/
public interface GpgSignatureVerifier {
/**
* Verifies the signature on a signed commit or tag.
*
* @param object
* to verify
* @param config
* the {@link GpgConfig} to use
* @return a {@link SignatureVerification} describing the outcome of the
* verification, or {@code null} if the object was not signed
* @throws IOException
* if an error occurs getting a public key
* @throws org.eclipse.jgit.api.errors.JGitInternalException
* if signature verification fails
*/
@Nullable
SignatureVerification verifySignature(@NonNull RevObject object,
@NonNull GpgConfig config) throws IOException;
/**
* Verifies a given signature for given data.
*
* @param config
* the {@link GpgConfig}
* @param data
* the signature is for
* @param signatureData
* the ASCII-armored signature
* @return a {@link SignatureVerification} describing the outcome
* @throws IOException
* if the signature cannot be parsed
* @throws JGitInternalException
* if signature verification fails
* @since 6.9
*/
default SignatureVerification verify(@NonNull GpgConfig config, byte[] data,
byte[] signatureData) throws IOException {
// Default implementation for backwards compatibility; override as
// appropriate
return verify(data, signatureData);
}
/**
* Verifies a given signature for given data.
*
* @param data
* the signature is for
* @param signatureData
* the ASCII-armored signature
* @return a {@link SignatureVerification} describing the outcome
* @throws IOException
* if the signature cannot be parsed
* @throws JGitInternalException
* if signature verification fails
* @deprecated since 6.9, use {@link #verify(GpgConfig, byte[], byte[])}
* instead
*/
@Deprecated
public SignatureVerification verify(byte[] data, byte[] signatureData)
throws IOException;
/**
* Retrieves the name of this verifier. This should be a short string
* identifying the engine that verified the signature, like "gpg" if GPG is
* used, or "bc" for a BouncyCastle implementation.
*
* @return the name
*/
@NonNull
String getName();
/**
* A {@link GpgSignatureVerifier} may cache public keys to speed up
* verifying signatures on multiple objects. This clears this cache, if any.
*/
void clear();
/**
* A {@code SignatureVerification} returns data about a (positively or
* negatively) verified signature.
*/
interface SignatureVerification {
// Data about the signature.
@NonNull
Date getCreationDate();
// Data from the signature used to find a public key.
/**
* Obtains the signer as stored in the signature, if known.
*
* @return the signer, or {@code null} if unknown
*/
String getSigner();
/**
* Obtains the short or long fingerprint of the public key as stored in
* the signature, if known.
*
* @return the fingerprint, or {@code null} if unknown
*/
String getKeyFingerprint();
// Some information about the found public key.
/**
* Obtains the OpenPGP user ID associated with the key.
*
* @return the user id, or {@code null} if unknown
*/
String getKeyUser();
/**
* Tells whether the public key used for this signature verification was
* expired when the signature was created.
*
* @return {@code true} if the key was expired already, {@code false}
* otherwise
*/
boolean isExpired();
/**
* Obtains the trust level of the public key used to verify the
* signature.
*
* @return the trust level
*/
@NonNull
TrustLevel getTrustLevel();
// The verification result.
/**
* Tells whether the signature verification was successful.
*
* @return {@code true} if the signature was verified successfully;
* {@code false} if not.
*/
boolean getVerified();
/**
* Obtains a human-readable message giving additional information about
* the outcome of the verification.
*
* @return the message, or {@code null} if none set.
*/
String getMessage();
}
/**
* The owner's trust in a public key.
*/
enum TrustLevel {
UNKNOWN, NEVER, MARGINAL, FULL, ULTIMATE
}
}
|
