From 9dc58d6ce1f62f6f1d61bc46dd7b075a140f2f23 Mon Sep 17 00:00:00 2001 From: turret Date: Wed, 4 Oct 2023 14:09:37 -0500 Subject: gpg: add new gpg githook (thanks gentoo) --- VREF/gpg | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100755 VREF/gpg diff --git a/VREF/gpg b/VREF/gpg new file mode 100755 index 0000000..07e1664 --- /dev/null +++ b/VREF/gpg @@ -0,0 +1,113 @@ +#!/bin/bash +# based on gentoo-infra: infra/githooks.git:update-02-gpg + +# --- Command line +refname=${1} +oldrev=${2} +newrev=${3} + +# --- Safety check +if [ -z "${GIT_DIR}" ]; then + echo "Don't run this script from the command line." >&2 + echo " (if you want, you could supply GIT_DIR then run" >&2 + echo " ${0} )" >&2 + exit 1 +fi + +if [ -z "${refname}" -o -z "${oldrev}" -o -z "${newrev}" ]; then + echo "usage: ${0} " >&2 + exit 1 +fi + +# branch names or 'all', or 'all-refs' for all refs +SIGNED_BRANCHES=$(git config --get gpg.signed-branches) +: ${SIGNED_BRANCHES:=master} +VERIFY_SIGS=$(git config --get gpg.verify-signatures) +: ${VERIFY_SIGS:=users} + +case ${VERIFY_SIGS} in + users) + ;; + no) + ;; + *) + echo "Invalid value of gpg.verify-signatures" >&2 + exit 1 +esac + +case ${SIGNED_BRANCHES} in + all-refs) + ;; + all) + [[ ${refname} == refs/heads/* ]] || exit 0 + ;; + *) + [[ ${refname} == refs/heads/* ]] || exit 0 + branch_found= + for branch in ${SIGNED_BRANCHES}; do + if [[ ${refname#refs/heads/} == ${branch} ]]; then + branch_found=1 + break + fi + done + [[ ${branch_found} == 1 ]] || exit 0 +esac + +IFS=' +' + +# special cases +zeros=0000000000000000000000000000000000000000 +# branch removal +[[ ${newrev} == "${zeros}" ]] && exit 0 +# new branch; try to find a merge base with master +if [[ ${oldrev} == "${zeros}" && ${refname} != refs/heads/master ]]; then + mergebase=$(git merge-base refs/heads/master "${newrev}") + [[ -n ${mergebase} ]] && oldrev=${mergebase} +fi +rev_list_arg="${oldrev}..${newrev}" +# new and no common commit? gotta check them all +[[ ${oldrev} == "${zeros}" ]] && rev_list_arg="${newrev}" + +while read -r r; do + committer=$(git show -q --pretty=format:'%ce' "${r}") + signst=$(git show -q --pretty=format:'%G?' "${r}") + case ${VERIFY_SIGS} in + users) + # user signatures must be Good + [[ ${signst} == G ]] && continue + ;; + no) + # additionally skip untrusted/impossible to check + # when verification is disabled + [[ ${signst} == [GUE] ]] && continue + ;; + esac + + # error reporting + case ${signst} in + U) + echo "*** Untrusted signature on ${r}, refusing" + exit 1 + ;; + B) + echo "*** Bad signature on ${r}, refusing" + exit 1 + ;; + N) + echo "*** No signature on ${r}, refusing" + exit 1 + ;; + E) + echo "*** Signature cannot be checked on ${r}, refusing" + exit 1 + ;; + *) + echo "*** Unknown signature status '${signst}', refusing" + exit 1 + ;; + esac +done < <(git rev-list --first-parent "${rev_list_arg}") + +# --- Finished +exit 0 -- cgit v1.2.3