@@ -1336,6 +1336,10 @@ int cmd_merge(int argc, const char **argv, const char *prefix)
die(_("%s - not something we can merge"), argv[0]);
if (remoteheads->next)
die(_("Can merge only exactly one commit into empty head"));
+
+ if (verify_signatures)
+ verify_merge_signature(remoteheads->item, verbosity);
+
remote_head_oid = &remoteheads->item->object.oid;
read_empty(remote_head_oid, 0);
update_ref("initial pull", "HEAD", remote_head_oid, NULL, 0,
@@ -103,4 +103,11 @@ test_expect_success GPG 'merge commit with bad signature with merge.verifySignat
git merge --no-verify-signatures $(cat forged.commit)
'
+test_expect_success GPG 'merge unsigned commit into unborn branch' '
+ test_when_finished "git checkout initial" &&
+ git checkout --orphan unborn &&
+ test_must_fail git merge --verify-signatures side-unsigned 2>mergeerror &&
+ test_i18ngrep "does not have a GPG signature" mergeerror
+'
+
test_done
When git-merge sees that we are on an unborn branch (i.e., there is no HEAD), it follows a totally separate code path than the usual merge logic. This code path does not know about verify_signatures, and so we fail to notice bad or missing signatures. This has been broken since --verify-signatures was added in efed002249 (merge/pull: verify GPG signatures of commits being merged, 2013-03-31). In an ideal world, we'd unify the flow for this case with the regular merge logic, which would fix this bug and avoid introducing similar ones. But because the unborn case is so different, it would be a burden on the rest of the function to continually handle the missing HEAD. So let's just port the verification check to this special case. Reported-by: Felix Eckhofer <felix@eckhofer.com> Signed-off-by: Jeff King <peff@peff.net> --- builtin/merge.c | 4 ++++ t/t7612-merge-verify-signatures.sh | 7 +++++++ 2 files changed, 11 insertions(+)