Merge branch 'jc/sign-buffer-failure-propagation-fix' into maint-2.43

A failed "git tag -s" did not necessarily result in an error
depending on the crypto backend, which has been corrected.

* jc/sign-buffer-failure-propagation-fix:
  ssh signing: signal an error with a negative return value
  tag: fix sign_buffer() call to create a signed tag

3 files changed, 3 insertions, 3 deletions

diff --git a/builtin/tag.c b/builtin/tag.c
index 358b308616..79ca53c149 100644
--- a/builtin/tag.c
+++ b/builtin/tag.c
@@ -175,7 +175,7 @@ static int verify_tag(const char *name, const char *ref UNUSED,
 
 static int do_sign(struct strbuf *buffer)
 {
-	return sign_buffer(buffer, buffer, get_signing_key());
+	return sign_buffer(buffer, buffer, get_signing_key()) ? -1 : 0;
 }
 
 static const char tag_template[] =
diff --git a/gpg-interface.c b/gpg-interface.c
index f614105033..95e764acb1 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -1078,7 +1078,7 @@ static int sign_buffer_ssh(struct strbuf *buffer, struct strbuf *signature,
 		if (strstr(signer_stderr.buf, "usage:"))
 			error(_("ssh-keygen -Y sign is needed for ssh signing (available in openssh version 8.2p1+)"));
 
-		error("%s", signer_stderr.buf);
+		ret = error("%s", signer_stderr.buf);
 		goto out;
 	}
 
diff --git a/gpg-interface.h b/gpg-interface.h
index 143cdc1c02..7cd98161f7 100644
--- a/gpg-interface.h
+++ b/gpg-interface.h
@@ -66,7 +66,7 @@ size_t parse_signed_buffer(const char *buf, size_t size);
  * Create a detached signature for the contents of "buffer" and append
  * it after "signature"; "buffer" and "signature" can be the same
  * strbuf instance, which would cause the detached signature appended
- * at the end.
+ * at the end.  Returns 0 on success, non-zero on failure.
  */
 int sign_buffer(struct strbuf *buffer, struct strbuf *signature,
 		const char *signing_key);