git: Disable log.showSignature for internal commands (#55708)

Self-Review Checklist: - [x] I've reviewed my own diff for quality, security, and reliability - [x] Unsafe blocks (if any) have justifying comments - [x] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [x] Tests cover the new/changed behavior - [x] Performance impact has been considered and is acceptable Closes #53604. When `log.showSignature = true`, git prepends signature verification lines to stdout before the `--format` output. The null-separated parsers in `crates/git/src/repository.rs` weren't expecting that, so SHAs ended up corrupted — the git graph detail panel showed "0 changed files" for every commit, and file history was similarly broken. Setting `-c log.showSignature=false` in `build_command` is the same trick we already use for `core.fsmonitor`. It only affects log/show/whatchanged, so other commands aren't touched. Verified locally with an SSH-signed repo: before this change the detail panel said "0 changed files"; after, the modified files show up correctly. Release Notes: - git_graph: Fix breakage that occurs when `log.showSignature` is enabled --------- Co-authored-by: Anthony Eid <anthony@zed.dev>
2026-06-01 03:14:56 +07:00 · 2026-05-17 03:54:51 +09:00 · 2026-05-17 03:54:51 +09:00 · b7d48ebcc4
commit b7d48ebcc4
parent 3bd9d13b63
1 changed files with 49 additions and 0 deletions
--- a/crates/git/src/repository.rs
+++ b/crates/git/src/repository.rs
@ -3415,8 +3415,12 @@ impl GitBinary {
    {
        let mut command = new_command(&self.git_binary_path);
        command.current_dir(&self.working_directory);
+        // Disabled to stop malicious actors from running arbitrary commands via fsmonitor hooks
        command.args(["-c", "core.fsmonitor=false"]);
+        // Prepended signature lines would corrupt our --format parsers.
+        command.args(["-c", "log.showSignature=false"]);
        command.arg("--no-optional-locks");
+        // Internal commands must be non-interactive so background tasks never block on user input.
        command.arg("--no-pager");

        if !self.is_trusted {
@ -3814,6 +3818,51 @@ mod tests {
        );
    }

+    #[gpui::test]
+    async fn test_build_command_disables_log_show_signature(cx: &mut TestAppContext) {
+        cx.executor().allow_parking();
+        let dir = tempfile::tempdir().unwrap();
+        git2::Repository::init(dir.path()).unwrap();
+
+        let git = GitBinary::new(
+            PathBuf::from("git"),
+            dir.path().to_path_buf(),
+            dir.path().join(".git"),
+            cx.executor(),
+            true,
+        );
+        let output = git
+            .build_command(&["config", "--get", "log.showSignature"])
+            .output()
+            .await
+            .expect("git config should run");
+        let stdout = String::from_utf8_lossy(&output.stdout);
+        assert_eq!(
+            stdout.trim(),
+            "false",
+            "log.showSignature should be disabled for trusted repos"
+        );
+
+        let git = GitBinary::new(
+            PathBuf::from("git"),
+            dir.path().to_path_buf(),
+            dir.path().join(".git"),
+            cx.executor(),
+            false,
+        );
+        let output = git
+            .build_command(&["config", "--get", "log.showSignature"])
+            .output()
+            .await
+            .expect("git config should run");
+        let stdout = String::from_utf8_lossy(&output.stdout);
+        assert_eq!(
+            stdout.trim(),
+            "false",
+            "log.showSignature should be disabled for untrusted repos"
+        );
+    }
+
    #[gpui::test]
    async fn test_path_for_index_id_uses_real_git_directory(cx: &mut TestAppContext) {
        cx.executor().allow_parking();