This bug was reported to the private security list, but I don't think it's easily exploitable, since merging or pulling into an unborn branch is pretty uncommon.
The root of the issue in both commands is just that we handle unborn branches in a special code path that never learned about --verify-signatures. [1/3]: merge: extract verify_merge_signature() helper [2/3]: merge: handle --verify-signatures for unborn branch [3/3]: pull: handle --verify-signatures for unborn branch builtin/merge.c | 30 +++++------------------------- builtin/pull.c | 11 +++++++++++ commit.c | 26 ++++++++++++++++++++++++++ commit.h | 7 +++++++ t/t5573-pull-verify-signatures.sh | 7 +++++++ t/t7612-merge-verify-signatures.sh | 7 +++++++ 6 files changed, 63 insertions(+), 25 deletions(-) -Peff
