doc: Add a Git hook that verifies signatures before pushing.
* HACKING (Commit Access): Describe the pre-push Git hook. * etc/git/pre-push: New file.master
parent
5f0fabec54
commit
69355e1283
5
HACKING
5
HACKING
|
@ -4,6 +4,7 @@
|
|||
|
||||
Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
|
||||
Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
|
||||
Copyright © 2017 Leo Famulari <leo@famulari.name>
|
||||
|
||||
Copying and distribution of this file, with or without modification,
|
||||
are permitted in any medium without royalty provided the copyright
|
||||
|
@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
|
|||
git config commit.gpgsign true
|
||||
git config user.signingkey CABBA6EA1DC0FF33
|
||||
|
||||
You can prevent yourself from accidentally pushing unsigned commits to Savannah
|
||||
by using the pre-push Git hook called 'pre-push'. It's located at
|
||||
'etc/git/pre-push'.
|
||||
|
||||
For anything else, please post to guix-devel@gnu.org and leave time for a
|
||||
review, without committing anything. If you didn’t receive any reply
|
||||
after two weeks, and if you’re confident, it’s OK to commit.
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
#!/bin/sh
|
||||
|
||||
# This hook script prevents the user from pushing to Savannah if any of the new
|
||||
# commits' OpenPGP signatures cannot be verified.
|
||||
|
||||
# Called by "git push" after it has checked the remote status, but before
|
||||
# anything has been pushed. If this script exits with a non-zero status nothing
|
||||
# will be pushed.
|
||||
#
|
||||
# This hook is called with the following parameters:
|
||||
#
|
||||
# $1 -- Name of the remote to which the push is being done
|
||||
# $2 -- URL to which the push is being done
|
||||
#
|
||||
# If pushing without using a named remote those arguments will be equal.
|
||||
#
|
||||
# Information about the commits which are being pushed is supplied as lines to
|
||||
# the standard input in the form:
|
||||
#
|
||||
# <local ref> <local sha1> <remote ref> <remote sha1>
|
||||
|
||||
z40=0000000000000000000000000000000000000000
|
||||
|
||||
# Only use the hook when pushing to Savannah.
|
||||
case "$2" in
|
||||
*git.sv.gnu.org*)
|
||||
break
|
||||
;;
|
||||
*)
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
while read local_ref local_sha remote_ref remote_sha
|
||||
do
|
||||
if [ "$local_sha" = $z40 ]
|
||||
then
|
||||
# Handle delete
|
||||
:
|
||||
else
|
||||
if [ "$remote_sha" = $z40 ]
|
||||
then
|
||||
# New branch, examine all commits
|
||||
range="$local_sha"
|
||||
else
|
||||
# Update to existing branch, examine new commits
|
||||
range="$remote_sha..$local_sha"
|
||||
fi
|
||||
|
||||
# Verify the signatures of all commits being pushed.
|
||||
git verify-commit $(git rev-list $range) >/dev/null 2>&1
|
||||
|
||||
exit $?
|
||||
fi
|
||||
done
|
||||
|
||||
exit 0
|
Reference in New Issue