Browse Source

doc: Add a Git hook that verifies signatures before pushing.

* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/git/pre-push: New file.
gn-latest-20200428
Leo Famulari 4 years ago
parent
commit
69355e1283
No known key found for this signature in database GPG Key ID: 2646FA30BACA7F08
2 changed files with 62 additions and 0 deletions
  1. +5
    -0
      HACKING
  2. +57
    -0
      etc/git/pre-push

+ 5
- 0
HACKING View File

@@ -4,6 +4,7 @@

Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
Copyright © 2017 Leo Famulari <leo@famulari.name>

Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
@@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
git config commit.gpgsign true
git config user.signingkey CABBA6EA1DC0FF33

You can prevent yourself from accidentally pushing unsigned commits to Savannah
by using the pre-push Git hook called 'pre-push'. It's located at
'etc/git/pre-push'.

For anything else, please post to guix-devel@gnu.org and leave time for a
review, without committing anything. If you didn’t receive any reply
after two weeks, and if you’re confident, it’s OK to commit.


+ 57
- 0
etc/git/pre-push View File

@@ -0,0 +1,57 @@
#!/bin/sh

# This hook script prevents the user from pushing to Savannah if any of the new
# commits' OpenPGP signatures cannot be verified.

# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>

z40=0000000000000000000000000000000000000000

# Only use the hook when pushing to Savannah.
case "$2" in
*git.sv.gnu.org*)
break
;;
*)
exit 0
;;
esac

while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
:
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi

# Verify the signatures of all commits being pushed.
git verify-commit $(git rev-list $range) >/dev/null 2>&1

exit $?
fi
done

exit 0

Loading…
Cancel
Save