git-js icon indicating copy to clipboard operation
git-js copied to clipboard
verified publisher icon steveukx

Verifying commit signature using raw() does not return the expected result

Open 3urobeat opened this issue 1 year ago • 2 comments

Hey,
I'm trying to verify a commit signature using git verify-commit <hash>.

Running this command in my terminal in the repository folder works, and shows the expected result with gpg: Signature made <date>... and so on.
Running the same command through simple-git like this (simplified):

import { simpleGit } from "simple-git";

const git: SimpleGit = simpleGit({
    baseDir: "data/repository/"
});

git.init();

git.raw(["verify-commit", hash]).then(res => console.log(res))

...just returns nothing, as if the commit was not signed.

Doing it via callback (git.raw(["verify-commit", hash], (err, data) => { ...) results in the same behavior.

Adding the verbose param (like this: git.raw(["verify-commit", "-v", hash]).then(res => console.log(res))) returns a response, including the correct commit message, however the gpg part is missing again.

Do you have an idea how I can make simple-git behave as git does through my terminal?
Both simple-git and git on my system report the same version (2.44.0).

3urobeat avatar Apr 14 '24 13:04 3urobeat

Hi, thanks for opening the issue. From reading through the git docs the missing content will be down to the output being printed to stderr rather than stdout, so would need a new task to be added to simple-git rather than relying on git.raw which only returns the stdout content.

To help with setting up the parser, please can you run the following in terminal:

git verify-commit -v --raw >out.txt 2>err.txt

Then include those two to this issue (please obscure personally identifiable information with a series of Xs in place of some of the characters).

steveukx avatar Jun 10 '24 08:06 steveukx

Hey, thanks for the response. You seem to be correct, the GnuPG response is being piped to stderr.

Here is the output from some random recent commit of mine (git verify-commit -v --raw 25cdc1938808efdd994d0b617831029770603259 >out.txt 2>err.txt):

out.txt

tree 8256920ef955bf006a708326ca040d7ad4b5aed9
parent 85496d8fb9b7bc3144294aa53e2516de9e8801c1
author 3urobeat <[email protected]> 1718053107 +0200
committer 3urobeat <[email protected]> 1718053107 +0200

docs(Arduino): Add compile & flash instructions

err.txt

[GNUPG:] NEWSIG
[GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
[GNUPG:] SIG_ID 3+P5iLyrD+p/6gDzsoO6zq/X05o 2024-06-10 1718053107
[GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
[GNUPG:] GOODSIG signingkey name surname <[email protected]>
[GNUPG:] VALIDSIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 2024-06-10 1718053107 0 4 0 1 8 00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[GNUPG:] TRUST_ULTIMATE 0 pgp

I'm honestly not sure what to sensor, isn't this public information? Anyone should be able to get the same output when running that command on that repository, right?
I just sensored everything, I hope that's ok lol

Let me know if you need anything else.
When I was originally planning to implement that feature I just wanted to display whether a commit was signed or not. I have since then dropped the idea because setting up GPG for signing inside a docker container through a user interface is just too much of a hassle

3urobeat avatar Jun 11 '24 19:06 3urobeat