Verifying commit signature using raw() does not return the expected result

[3urobeat]

Hey,
I'm trying to verify a commit signature using git verify-commit <hash>.

Running this command in my terminal in the repository folder works, and shows the expected result with gpg: Signature made <date>... and so on.
Running the same command through simple-git like this (simplified):

import { simpleGit } from "simple-git";

const git: SimpleGit = simpleGit({
    baseDir: "data/repository/"
});

git.init();

git.raw(["verify-commit", hash]).then(res => console.log(res))

...just returns nothing, as if the commit was not signed.

Doing it via callback (git.raw(["verify-commit", hash], (err, data) => { ...) results in the same behavior.

Adding the verbose param (like this: git.raw(["verify-commit", "-v", hash]).then(res => console.log(res))) returns a response, including the correct commit message, however the gpg part is missing again.

Do you have an idea how I can make simple-git behave as git does through my terminal?
Both simple-git and git on my system report the same version (2.44.0).

[steveukx]

Hi, thanks for opening the issue. From reading through the git docs the missing content will be down to the output being printed to stderr rather than stdout, so would need a new task to be added to simple-git rather than relying on git.raw which only returns the stdout content.

To help with setting up the parser, please can you run the following in terminal:

git verify-commit -v --raw >out.txt 2>err.txt

Then include those two to this issue (please obscure personally identifiable information with a series of Xs in place of some of the characters).

[3urobeat]

Hey, thanks for the response. You seem to be correct, the GnuPG response is being piped to stderr.

Here is the output from some random recent commit of mine (git verify-commit -v --raw 25cdc1938808efdd994d0b617831029770603259 >out.txt 2>err.txt):

out.txt

tree 8256920ef955bf006a708326ca040d7ad4b5aed9
parent 85496d8fb9b7bc3144294aa53e2516de9e8801c1
author 3urobeat <35304405+3urobeat@users.noreply.github.com> 1718053107 +0200
committer 3urobeat <35304405+3urobeat@users.noreply.github.com> 1718053107 +0200

docs(Arduino): Add compile & flash instructions

err.txt

[GNUPG:] NEWSIG
[GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
[GNUPG:] SIG_ID 3+P5iLyrD+p/6gDzsoO6zq/X05o 2024-06-10 1718053107
[GNUPG:] KEY_CONSIDERED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
[GNUPG:] GOODSIG signingkey name surname <35304405+3urobeat@users.noreply.github.com>
[GNUPG:] VALIDSIG XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 2024-06-10 1718053107 0 4 0 1 8 00 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[GNUPG:] TRUST_ULTIMATE 0 pgp

I'm honestly not sure what to sensor, isn't this public information? Anyone should be able to get the same output when running that command on that repository, right?
I just sensored everything, I hope that's ok lol

Let me know if you need anything else.
When I was originally planning to implement that feature I just wanted to display whether a commit was signed or not. I have since then dropped the idea because setting up GPG for signing inside a docker container through a user interface is just too much of a hassle