[PATCH] build: parsing "git log" breaks with gpg signature verification

Bjørn Mork bjorn at mork.no
Fri Jun 27 02:21:07 PDT 2025 

Sorry, that example was bogus.  This should do a better job illustrating
the issue:

  git config log.showSignature true
  export GET_REV=2025-05-01
  GET_REV="$(git log -n 1 --format="%h" --until "$GET_REV")"
  echo "$GET_REV"


Bjørn

Bjørn Mork via openwrt-devel <openwrt-devel at lists.openwrt.org> writes:

> The sender domain has a DMARC Reject/Quarantine policy which disallows
> sending mailing list messages using the original "From" header.
>
> To mitigate this problem, the original message has been wrapped
> automatically by the mailing list software.
>
> From: Bjørn Mork <bjorn at mork.no>
> Subject: Re: [PATCH] build: parsing "git log" breaks with gpg signature verification
> To: Bjørn Mork via openwrt-devel <openwrt-devel at lists.openwrt.org>
> Cc: Eric Fahlgren <ericfahlgren at gmail.com>, Robert Marko <robimarko at gmail.com>
> Date: Fri, 27 Jun 2025 11:05:54 +0200
> Organization: m
>
> This is BROKEN, in the exact same way as the other "git log" parsing I
> tried to fix with the ignored patch quoted below:
>
>
> commit e56845fae3c05463a57ba8e0e104d6d8d8cd96ed
> Author: Eric Fahlgren <ericfahlgren at gmail.com>
> Date:   Sat Feb 1 08:12:07 2025 -0800
>
>     scripts: getver.sh: approximate version from date
>     
>     When doing package support and management it is often the case that
>     knowing the corresponding openwrt repo's release version is useful.
>     
>     For example, when adding package changes to the ASU server, the
>     openwrt revision is used as the cutoff for applying those changes.
>     Knowing a package change's hash in its remote feed repo allows us
>     to look up its change date, which we can now use with getver.sh
>     to approximate the revision in openwrt at which it was made.
>     
>     Signed-off-by: Eric Fahlgren <ericfahlgren at gmail.com>
>     Link: https://github.com/openwrt/openwrt/pull/17817
>     Signed-off-by: Robert Marko <robimarko at gmail.com>
>
> diff --git a/scripts/getver.sh b/scripts/getver.sh
> index 0659d8004a01..e9a5cca0740d 100755
> --- a/scripts/getver.sh
> +++ b/scripts/getver.sh
> @@ -23,6 +23,9 @@ try_git() {
>                 BASE_REV="$(git rev-list ${REBOOT}..HEAD 2>/dev/null | wc -l | awk '{print $1}')"
>                 [ $((BASE_REV - GET_REV)) -ge 0 ] && REV="$(git rev-parse HEAD~$((BASE_REV - GET_REV)))"
>                 ;;
> +       *-*-*)  # ISO date format - for approximating when packages were removed or renamed
> +               GET_REV="$(git log -n 1 --format="%h" --until "$GET_REV")"
> +               ;&  # FALLTHROUGH
>         *)
>                 BRANCH="$(git rev-parse --abbrev-ref HEAD)"
>                 ORIGIN="$(git rev-parse --verify --symbolic-full-name ${BRANCH}@{u} 2>/dev/null)"
>
>
>
>
>
> If you don't believe me, then please try this in an OpenWrt workdir:
>
>  git config log.showSignature true
>  export GET_REV=2025-05-27
>  GET_REV="$(git log -n 1 --format="%h" --until "$GET_REV")"
>  echo "$GET_REV"
>
>
> See?  A user could also have that setting in their ~/.gitconfig. Now,
> try the same using
>
>  GET_REV="$(git log -n 1 --no-show-signature --format="%h" --until "$GET_REV")"
>  
>
> Notice the difference? It's a simple workaround.  So why not use that
> option, if you insist on parsing git-log output?
>
>
>
> Bjørn
>
>
>
> Bjørn Mork via openwrt-devel <openwrt-devel at lists.openwrt.org> writes:
>
>> The sender domain has a DMARC Reject/Quarantine policy which disallows
>> sending mailing list messages using the original "From" header.
>>
>> To mitigate this problem, the original message has been wrapped
>> automatically by the mailing list software.
>>
>> From: Bjørn Mork <bjorn at mork.no>
>> Subject: [PATCH] build: parsing "git log" breaks with gpg signature verification
>> To: openwrt-devel at lists.openwrt.org
>> Cc: Bjørn Mork <bjorn at mork.no>
>> Date: Tue, 11 Feb 2025 19:05:32 +0100
>>
>> Parsing "git log" is fragile.  The actual output depends on both global and
>> local configuration files. Enabling "log.showSignature" makes "git log" prefix
>> signed commits with multiple lines of gpg verify output, regardless of the
>> configured log format.
>>
>> Add "--no-show-signature" to "git log" commands to work around this particular
>> issue.
>>
>> Signed-off-by: Bjørn Mork <bjorn at mork.no>
>> ---
>>  include/download.mk | 2 +-
>>  rules.mk            | 4 ++--
>>  scripts/getver.sh   | 2 +-
>>  toolchain/Makefile  | 2 +-
>>  4 files changed, 5 insertions(+), 5 deletions(-)
>>
>> diff --git a/include/download.mk b/include/download.mk
>> index 7f3430277350..3ed88bb9528d 100644
>> --- a/include/download.mk
>> +++ b/include/download.mk
>> @@ -228,7 +228,7 @@ define DownloadMethod/rawgit
>>  	[ \! -d $(SUBDIR) ] && \
>>  	git clone $(OPTS) $(URL) $(SUBDIR) && \
>>  	(cd $(SUBDIR) && git checkout $(SOURCE_VERSION)) && \
>> -	export TAR_TIMESTAMP=`cd $(SUBDIR) && git log -1 --format='@%ct'` && \
>> +	export TAR_TIMESTAMP=`cd $(SUBDIR) && git log -1 --no-show-signature --format='@%ct'` && \
>>  	echo "Generating formal git archive (apply .gitattributes rules)" && \
>>  	(cd $(SUBDIR) && git config core.abbrev 8 && \
>>  	git archive --format=tar HEAD --output=../$(SUBDIR).tar.git) && \
>> diff --git a/rules.mk b/rules.mk
>> index dbc448e1a432..7a5df4109ef1 100644
>> --- a/rules.mk
>> +++ b/rules.mk
>> @@ -507,9 +507,9 @@ ext=$(word $(words $(subst ., ,$(1))),$(subst ., ,$(1)))
>>  ##
>>  define commitcount
>>  $(shell \
>> -  if git log -1 >/dev/null 2>/dev/null; then \
>> +  if git log -1 --no-show-signature >/dev/null 2>/dev/null; then \
>>      if [ -n "$(1)" ]; then \
>> -      last_bump="$$(git log --pretty=format:'%h %s' . | \
>> +      last_bump="$$(git log --no-show-signature --pretty=format:'%h %s' . | \
>>          grep -m 1 -e ': [uU]pdate to ' -e ': [bB]ump to ' | \
>>          cut -f 1 -d ' ')"; \
>>      fi; \
>> diff --git a/scripts/getver.sh b/scripts/getver.sh
>> index 0659d8004a01..23ca0f489b15 100755
>> --- a/scripts/getver.sh
>> +++ b/scripts/getver.sh
>> @@ -40,7 +40,7 @@ try_git() {
>>  			REV="${UPSTREAM_REV}+$((REV - UPSTREAM_REV))"
>>  		fi
>>  
>> -		REV="${REV:+r$REV-$(git log -n 1 --format="%h" $UPSTREAM_BASE)}"
>> +		REV="${REV:+r$REV-$(git log -n 1 --no-show-signature --format="%h" $UPSTREAM_BASE)}"
>>  
>>  		;;
>>  	esac
>> diff --git a/toolchain/Makefile b/toolchain/Makefile
>> index 09c16f72a780..67b1540117cd 100644
>> --- a/toolchain/Makefile
>> +++ b/toolchain/Makefile
>> @@ -65,7 +65,7 @@ endif
>>  ifdef CONFIG_BUILDBOT
>>  ifneq ($(wildcard $(TOPDIR)/.git),)
>>    $(TOOLCHAIN_DIR)/stamp/.ver_check: $(TMP_DIR)/.build
>> -	cd "$(TOPDIR)"; git log --format=%h -1 toolchain > $(TMP_DIR)/.ver_check
>> +	cd "$(TOPDIR)"; git log --no-show-signature --format=%h -1 toolchain > $(TMP_DIR)/.ver_check
>>  	cmp -s $(TMP_DIR)/.ver_check $@ || { \
>>  		rm -rf $(BUILD_DIR) $(STAGING_DIR) $(TOOLCHAIN_DIR) $(BUILD_DIR_TOOLCHAIN); \
>>  		mkdir -p $(TOOLCHAIN_DIR)/stamp; \
>
> ----------
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list