0

I made a git signed tag, using this command: git tag -s <tag>

Is there another alternatives to check the signature of this tag without using the command: git verify-tag <tag> or git tag -v <tag>?

My tag is signed locally on a git local repository and then pushed to a remote git bare repository. In my use case, the verification of the signature shall be not done locally but by a hook on the server side during the push operation that can reject the tag if it is not signed. And git verify-tag <tag> does not return anything on the hook server side as the tag is not recognized and not yet created on the server side.

As for git commits verifications mentioned here https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work, is there another alternatives to verify git signature by using "git log" commands for example?

Thank you for your help.

------------------------------ UPDATE -----------------------------------

As @torek mentions belower in a comment, the tag name is not yet recognized by the server, so that is why I use the tag hash id instead of the tag name. One step made!

As I said upper, the verification of the signature is made on the server side through a hook written with C++. Thus, in my C++ code I use a generic c++ code to execute a command line and get its output.

Here is the code of the generic c++ exec function:

#include <iostream>
#include <stdexcept>
#include <stdio.h>
#include <string>

std::string exec(const char* cmd) {
    char buffer[128];
    std::string result = "";
    FILE* pipe = popen(cmd, "r");
    if (!pipe) throw std::runtime_error("popen() failed!");
    try {
        while (fgets(buffer, sizeof buffer, pipe) != NULL) {
            result += buffer;
        }
    } catch (...) {
        pclose(pipe);
        throw;
    }
    pclose(pipe);
    return result;
}

This exec function works for another commands. But for unknown reason, my command "git verify-tag <tag_hash>" does not return anything in the returned string of the function (same thing if using the command 'git verify-commit <commit_hash>'). So I cannot in my C++ code, parse the output of the command.

But the output strangely appears in the command line window, where the tag push command is executed.

Any ideas on the problems? Is my exec function asynchrone?

--------------SOLUTION-----------------------------------

Strangely, the command git verify-tag <tag> does not print the output to the standard 'stdout' but to the 'stderr' output.

So my issue is resolved by redirecting the 'stderr' output to the 'stdout' with the command git verify-tag <tag> 2>&1 instead of git verify-tag <tag>

Joker
  • 33
  • 7
  • Maybe you just need to push your tag? This may help: [Push git commits & tags simultaneously](https://stackoverflow.com/q/3745135/184546) – TTT Mar 16 '22 at 18:35
  • 2
    If you're trying to use a pre-receive or update hook to verify a tag before letting the push go through, you need to verify the tag by its hash ID, not by its name: you're inspecting the new object in order to decide *whether to allow Git to create the name* at this point. So the object exists, but the name doesn't, yet. – torek Mar 17 '22 at 00:02
  • Hello @torek, you are right using hashID is better. I can get the signature result when print it through a window. But for unknown reason, I can't get the result using c++ functions (using popen and fgets). I will update my quesiton. – Joker Mar 17 '22 at 11:24

0 Answers0