mirrors
/
jgit
mirror of https://github.com/eclipse/jgit.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 204 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8241 Commits
49 Branches
Tree: 1b7eafab13
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1b7eafab13'
${ noResults }
jgit/org.eclipse.jgit.gpg.bc/src/org/eclipse/jgit/gpg/bc/internal/BouncyCastleGpgSignatureVer...

BouncyCastleGpgSignatureVerifierFactory.java 875B
Raw Normal View History

GPG signature verification via BouncyCastle Add a GpgSignatureVerifier interface, plus a factory to create instances thereof that is provided via the ServiceLoader mechanism. Implement the new interface for BouncyCastle. A verifier maintains an internal LRU cache of previously found public keys to speed up verifying multiple objects (tag or commits). Mergetags are not handled. Provide a new VerifySignatureCommand in org.eclipse.jgit.api together with a factory method Git.verifySignature(). The command can verify signatures on tags or commits, and can be limited to accept only tags or commits. Provide a new public WrongObjectTypeException thrown when the command is limited to either tags or commits and a name resolves to some other object kind. In jgit.pgm, implement "git tag -v", "git log --show-signature", and "git show --show-signature". The output is similar to command-line gpg invoked via git, but not identical. In particular, lines are not prefixed by "gpg:" but by "bc:". Trust levels for public keys are read from the keys' trust packets, not from GPG's internal trust database. A trust packet may or may not be set. Command-line GPG produces more warning lines depending on the trust level, warning about keys with a trust level below "full". There are no unit tests because JGit still doesn't have any setup to do signing unit tests; this would require at least a faked .gpg directory with pre-created key rings and keys, and a way to make the BouncyCastle classes use that directory instead of the default. See bug 547538 and also bug 544847. Tested manually with a small test repository containing signed and unsigned commits and tags, with signatures made with different keys and made by command-line git using GPG 2.2.25 and by JGit using BouncyCastle 1.65. Bug: 547751 Change-Id: If7e34aeed6ca6636a92bf774d893d98f6d459181 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
3 years ago
 12345678910111213141516171819202122232425262728 
  1. /*

  2.  * Copyright (C) 2021, Thomas Wolf <thomas.wolf@paranor.ch> and others

  3.  *

  4.  * This program and the accompanying materials are made available under the

  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at

  6.  * https://www.eclipse.org/org/documents/edl-v10.php.

  7.  *

  8.  * SPDX-License-Identifier: BSD-3-Clause

  9.  */

  10. package org.eclipse.jgit.gpg.bc.internal;

  11. 

  12. import org.eclipse.jgit.lib.GpgSignatureVerifier;

  13. import org.eclipse.jgit.lib.GpgSignatureVerifierFactory;

  14. 

  15. /**

  16.  * A {@link GpgSignatureVerifierFactory} that creates

  17.  * {@link GpgSignatureVerifier} instances that verify GPG signatures using

  18.  * BouncyCastle and that do cache public keys.

  19.  */

  20. public final class BouncyCastleGpgSignatureVerifierFactory

  21. 		extends GpgSignatureVerifierFactory {

  22. 

  23. 	@Override

  24. 	public GpgSignatureVerifier getVerifier() {

  25. 		return new BouncyCastleGpgSignatureVerifier();

  26. 	}

  27. 

  28. }