blob: 8d22b0de2914032fd59bdc1459e0004581205514 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
#!/bin/bash
# based on gentoo-infra: infra/githooks.git:update-02-gpg
# --- Command line
refname=${1}
oldrev=${2}
newrev=${3}
# --- Safety check
if [ -z "${GIT_DIR}" ]; then
echo "Don't run this script from the command line." >&2
echo " (if you want, you could supply GIT_DIR then run" >&2
echo " ${0} <ref> <oldrev> <newrev>)" >&2
exit 1
fi
if [ -z "${refname}" -o -z "${oldrev}" -o -z "${newrev}" ]; then
echo "usage: ${0} <ref> <oldrev> <newrev>" >&2
exit 1
fi
# branch names or 'all', or 'all-refs' for all refs
SIGNED_BRANCHES=$(git config --get gpg.signed-branches)
: ${SIGNED_BRANCHES:=master}
VERIFY_SIGS=$(git config --get gpg.verify-signatures)
: ${VERIFY_SIGS:=users}
case ${VERIFY_SIGS} in
users)
;;
no)
;;
*)
echo "Invalid value of gpg.verify-signatures" >&2
exit 1
esac
case ${SIGNED_BRANCHES} in
all-refs)
;;
all)
[[ ${refname} == refs/heads/* ]] || exit 0
;;
*)
[[ ${refname} == refs/heads/* ]] || exit 0
branch_found=
for branch in ${SIGNED_BRANCHES}; do
if [[ ${refname#refs/heads/} == ${branch} ]]; then
branch_found=1
break
fi
done
[[ ${branch_found} == 1 ]] || exit 0
esac
IFS='
'
# special cases
zeros=0000000000000000000000000000000000000000
# branch removal
[[ ${newrev} == "${zeros}" ]] && exit 0
# new branch; try to find a merge base with master
if [[ ${oldrev} == "${zeros}" && ${refname} != refs/heads/master ]]; then
mergebase=$(git merge-base refs/heads/master "${newrev}")
[[ -n ${mergebase} ]] && oldrev=${mergebase}
fi
rev_list_arg="${oldrev}..${newrev}"
# new and no common commit? gotta check them all
[[ ${oldrev} == "${zeros}" ]] && rev_list_arg="${newrev}"
while read -r r; do
committer=$(git show -q --pretty=format:'%ce' "${r}")
signst=$(git show -q --pretty=format:'%G?' "${r}")
case ${VERIFY_SIGS} in
users)
# user signatures must be Good
[[ ${signst} == G ]] && continue
;;
no)
# additionally skip untrusted/impossible to check
# when verification is disabled
[[ ${signst} == [GUE] ]] && continue
;;
esac
# error reporting
case ${signst} in
U)
echo "*** Untrusted signature on ${r}, refusing"
exit 1
;;
B)
echo "*** Bad signature on ${r}, refusing"
exit 1
;;
N)
echo "*** No signature on ${r}, refusing"
exit 1
;;
E)
echo "*** Signature cannot be checked on ${r}, refusing"
exit 1
;;
Y)
echo "*** Signing key expired on ${r}, refusing"
exit 1
;;
R)
echo "*** Signing key revoked on ${r}, refusing"
exit 1
;;
*)
echo "*** Unknown signature status '${signst}', refusing"
exit 1
;;
esac
done < <(git rev-list --first-parent "${rev_list_arg}")
# --- Finished
exit 0
|