+18 -7

src/raw/verify.rs

reviewed

··· 3 3 use std::path::PathBuf; 4 4 5 5 use anyhow::Result; 6 6 + use either::*; 6 7 use git2::{Oid, Repository}; 7 8 8 9 use crate::utils; ··· 11 12 pub fn command(key_path: PathBuf, recover: bool, tree_rev: String) -> Result<()> { 12 13 let repo = utils::open_repository()?; 13 14 for public_key in utils::get_public_keys(key_path)?.into_values() { 14 14 - let recovered_oid = verify(&repo, &public_key, &tree_rev, recover)?; 15 15 - if let Some(recovered_oid) = recovered_oid { 16 16 - println!("{recovered_oid}"); 17 17 - } 15 15 + verify(&repo, &public_key, &tree_rev, recover)?.either( 16 16 + |_| anyhow::bail!("No signature found for tree {tree_rev}"), 17 17 + |recovered_oid| { 18 18 + if let Some(recovered_oid) = recovered_oid { 19 19 + println!("{recovered_oid}"); 20 20 + } 21 21 + Ok(()) 22 22 + }, 23 23 + )?; 18 24 } 19 25 Ok(()) 20 26 } ··· 25 31 public_key: &utils::PublicKey, 26 32 tree_rev: &str, 27 33 recover: bool, 28 28 - ) -> Result<Option<Oid>> { 29 29 - let tree_sig = utils::TreeSignature::load(repo, tree_rev)?; 34 34 + ) -> Result<Either<(), Option<Oid>>> { 35 35 + let Some(tree_sig) = utils::TreeSignature::load(repo, tree_rev)? else { 36 36 + return Ok(Left(())); 37 37 + }; 30 38 tree_sig.verify(public_key)?; 31 31 - recover.then(|| tree_sig.dereference()).transpose() 39 39 + recover 40 40 + .then(|| tree_sig.dereference()) 41 41 + .transpose() 42 42 + .map(Right) 32 43 }

+9 -8

src/utils.rs

reviewed

··· 8 8 use std::path::{Path, PathBuf}; 9 9 10 10 use anyhow::{anyhow, Context, Result}; 11 11 - use git2::{Blob, Object, ObjectType, Oid, Repository, RepositoryOpenFlags}; 11 11 + use git2::{Blob, ErrorCode, Object, ObjectType, Oid, Repository, RepositoryOpenFlags}; 12 12 use libsignify::Codeable; 13 13 use zeroize::Zeroizing; 14 14 ··· 155 155 156 156 impl<'repo> TreeSignature<'repo> { 157 157 /// Load a [`TreeSignature`] at the given `tree_rev` from the 158 158 - /// provided git repository. 158 158 + /// provided git repository. The value of `tree_rev` is expected 159 159 + /// to follow the refspec [`ALL_SIGNIFY_SIGNATURE_REFS`]. 159 160 #[inline] 160 160 - pub fn load(repo: &'repo Repository, tree_rev: &str) -> Result<Self> { 161 161 - let oid = repo 162 162 - .revparse_single(tree_rev) 163 163 - .context("Failed to look-up git tree oid")? 164 164 - .id(); 165 165 - Self::load_oid(repo, oid) 161 161 + pub fn load(repo: &'repo Repository, tree_rev: &str) -> Result<Option<Self>> { 162 162 + match repo.revparse_single(tree_rev) { 163 163 + Ok(obj) => Self::load_oid(repo, obj.id()).map(Some), 164 164 + Err(e) if e.code() == ErrorCode::NotFound => Ok(None), 165 165 + Err(e) => Err(e).context("Failed to look-up tree signature"), 166 166 + } 166 167 } 167 168 168 169 /// Like [`TreeSignature::load`], but uses a concrete revision pointing

+5 -2

src/verify.rs

reviewed

··· 20 20 let key_fingerprint = public_key.fingerprint()?; 21 21 utils::craft_signature_reference(key_fingerprint, object_oid) 22 22 }; 23 23 - verify(&repo, &public_key, &tree_rev, false)?; 24 24 - println!("Signature verified successfully with {}", path.display()); 23 23 + if verify(&repo, &public_key, &tree_rev, false)?.is_right() { 24 24 + println!("Signature verified successfully with {}", path.display()); 25 25 + } else { 26 26 + println!("No signature found for key {}", path.display()); 27 27 + } 25 28 } 26 29 Ok(()) 27 30 }