Browse Source
doc: Add a Git hook that verifies signatures before pushing.
* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/git/pre-push: New file.
gn-latest-20200428
Leo Famulari
5 years ago
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
2 changed files with
62 additions and
0 deletions
-
HACKING
-
etc/git/pre-push
|
|
|
@ -4,6 +4,7 @@ |
|
|
|
|
|
|
|
Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org> |
|
|
|
Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org> |
|
|
|
Copyright © 2017 Leo Famulari <leo@famulari.name> |
|
|
|
|
|
|
|
Copying and distribution of this file, with or without modification, |
|
|
|
are permitted in any medium without royalty provided the copyright |
|
|
|
@ -43,6 +44,10 @@ configure Git to automatically sign commits, run: |
|
|
|
git config commit.gpgsign true |
|
|
|
git config user.signingkey CABBA6EA1DC0FF33 |
|
|
|
|
|
|
|
You can prevent yourself from accidentally pushing unsigned commits to Savannah |
|
|
|
by using the pre-push Git hook called 'pre-push'. It's located at |
|
|
|
'etc/git/pre-push'. |
|
|
|
|
|
|
|
For anything else, please post to guix-devel@gnu.org and leave time for a |
|
|
|
review, without committing anything. If you didn’t receive any reply |
|
|
|
after two weeks, and if you’re confident, it’s OK to commit. |
|
|
|
|
|
|
|
@ -0,0 +1,57 @@ |
|
|
|
#!/bin/sh |
|
|
|
|
|
|
|
# This hook script prevents the user from pushing to Savannah if any of the new |
|
|
|
# commits' OpenPGP signatures cannot be verified. |
|
|
|
|
|
|
|
# Called by "git push" after it has checked the remote status, but before |
|
|
|
# anything has been pushed. If this script exits with a non-zero status nothing |
|
|
|
# will be pushed. |
|
|
|
# |
|
|
|
# This hook is called with the following parameters: |
|
|
|
# |
|
|
|
# $1 -- Name of the remote to which the push is being done |
|
|
|
# $2 -- URL to which the push is being done |
|
|
|
# |
|
|
|
# If pushing without using a named remote those arguments will be equal. |
|
|
|
# |
|
|
|
# Information about the commits which are being pushed is supplied as lines to |
|
|
|
# the standard input in the form: |
|
|
|
# |
|
|
|
# <local ref> <local sha1> <remote ref> <remote sha1> |
|
|
|
|
|
|
|
z40=0000000000000000000000000000000000000000 |
|
|
|
|
|
|
|
# Only use the hook when pushing to Savannah. |
|
|
|
case "$2" in |
|
|
|
*git.sv.gnu.org*) |
|
|
|
break |
|
|
|
;; |
|
|
|
*) |
|
|
|
exit 0 |
|
|
|
;; |
|
|
|
esac |
|
|
|
|
|
|
|
while read local_ref local_sha remote_ref remote_sha |
|
|
|
do |
|
|
|
if [ "$local_sha" = $z40 ] |
|
|
|
then |
|
|
|
# Handle delete |
|
|
|
: |
|
|
|
else |
|
|
|
if [ "$remote_sha" = $z40 ] |
|
|
|
then |
|
|
|
# New branch, examine all commits |
|
|
|
range="$local_sha" |
|
|
|
else |
|
|
|
# Update to existing branch, examine new commits |
|
|
|
range="$remote_sha..$local_sha" |
|
|
|
fi |
|
|
|
|
|
|
|
# Verify the signatures of all commits being pushed. |
|
|
|
git verify-commit $(git rev-list $range) >/dev/null 2>&1 |
|
|
|
|
|
|
|
exit $? |
|
|
|
fi |
|
|
|
done |
|
|
|
|
|
|
|
exit 0 |
