diff options
author | turret <turret@duck.com> | 2023-10-04 14:09:37 -0500 |
---|---|---|
committer | turret <turret@duck.com> | 2023-10-04 14:09:37 -0500 |
commit | 9dc58d6ce1f62f6f1d61bc46dd7b075a140f2f23 (patch) | |
tree | 796fccf992d0e4d7b6a34bbe0bdd8d21f4564fcc /VREF | |
parent | 26719337d8d4bc58faddf6b574672af4d855ec0a (diff) | |
download | hooks-9dc58d6ce1f62f6f1d61bc46dd7b075a140f2f23.tar.gz hooks-9dc58d6ce1f62f6f1d61bc46dd7b075a140f2f23.tar.bz2 hooks-9dc58d6ce1f62f6f1d61bc46dd7b075a140f2f23.zip |
Diffstat (limited to 'VREF')
-rwxr-xr-x | VREF/gpg | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/VREF/gpg b/VREF/gpg new file mode 100755 index 0000000..07e1664 --- /dev/null +++ b/VREF/gpg @@ -0,0 +1,113 @@ +#!/bin/bash +# based on gentoo-infra: infra/githooks.git:update-02-gpg + +# --- Command line +refname=${1} +oldrev=${2} +newrev=${3} + +# --- Safety check +if [ -z "${GIT_DIR}" ]; then + echo "Don't run this script from the command line." >&2 + echo " (if you want, you could supply GIT_DIR then run" >&2 + echo " ${0} <ref> <oldrev> <newrev>)" >&2 + exit 1 +fi + +if [ -z "${refname}" -o -z "${oldrev}" -o -z "${newrev}" ]; then + echo "usage: ${0} <ref> <oldrev> <newrev>" >&2 + exit 1 +fi + +# branch names or 'all', or 'all-refs' for all refs +SIGNED_BRANCHES=$(git config --get gpg.signed-branches) +: ${SIGNED_BRANCHES:=master} +VERIFY_SIGS=$(git config --get gpg.verify-signatures) +: ${VERIFY_SIGS:=users} + +case ${VERIFY_SIGS} in + users) + ;; + no) + ;; + *) + echo "Invalid value of gpg.verify-signatures" >&2 + exit 1 +esac + +case ${SIGNED_BRANCHES} in + all-refs) + ;; + all) + [[ ${refname} == refs/heads/* ]] || exit 0 + ;; + *) + [[ ${refname} == refs/heads/* ]] || exit 0 + branch_found= + for branch in ${SIGNED_BRANCHES}; do + if [[ ${refname#refs/heads/} == ${branch} ]]; then + branch_found=1 + break + fi + done + [[ ${branch_found} == 1 ]] || exit 0 +esac + +IFS=' +' + +# special cases +zeros=0000000000000000000000000000000000000000 +# branch removal +[[ ${newrev} == "${zeros}" ]] && exit 0 +# new branch; try to find a merge base with master +if [[ ${oldrev} == "${zeros}" && ${refname} != refs/heads/master ]]; then + mergebase=$(git merge-base refs/heads/master "${newrev}") + [[ -n ${mergebase} ]] && oldrev=${mergebase} +fi +rev_list_arg="${oldrev}..${newrev}" +# new and no common commit? gotta check them all +[[ ${oldrev} == "${zeros}" ]] && rev_list_arg="${newrev}" + +while read -r r; do + committer=$(git show -q --pretty=format:'%ce' "${r}") + signst=$(git show -q --pretty=format:'%G?' "${r}") + case ${VERIFY_SIGS} in + users) + # user signatures must be Good + [[ ${signst} == G ]] && continue + ;; + no) + # additionally skip untrusted/impossible to check + # when verification is disabled + [[ ${signst} == [GUE] ]] && continue + ;; + esac + + # error reporting + case ${signst} in + U) + echo "*** Untrusted signature on ${r}, refusing" + exit 1 + ;; + B) + echo "*** Bad signature on ${r}, refusing" + exit 1 + ;; + N) + echo "*** No signature on ${r}, refusing" + exit 1 + ;; + E) + echo "*** Signature cannot be checked on ${r}, refusing" + exit 1 + ;; + *) + echo "*** Unknown signature status '${signst}', refusing" + exit 1 + ;; + esac +done < <(git rev-list --first-parent "${rev_list_arg}") + +# --- Finished +exit 0 |