From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Commit signing workflow
Date: Sun, 22 May 2016 20:12:00 -0400 [thread overview]
Message-ID: <20160523001200.GA18233@jasmine> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1024 bytes --]
As requested in the discussion on "Trustable guix pull" [0], I've
recently started signing the commits I push to Savannah.
At first, I set "gpgsign = true" in my Guix repo's Git config. This
requires you to sign every commit you make. It's effective, but I found
it annoying to provide my signing key while doing exploratory hacking,
rebasing a branch on master, etc.
Instead, I want to sign after my final "self-review" and before pushing
to Savannah or sending patches to the list for final review.
So, I've attached a pre-push Git hook that should prevent unsigned
commits from being pushed to any remote [1]. I've also attached a shell
function that will sign commits besides HEAD (useful for signing a range
of commits). I didn't find a more Git-idiomatic way to sign an existing
commit besides HEAD.
Please let me know if you see any problems with this approach, or if you
can suggest some improvements.
[0]
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#16
[1] One could make it remote-specific if desired.
[-- Attachment #1.2: pre-push --]
[-- Type: text/plain, Size: 1335 bytes --]
#!/gnu/store/b1yqjimbdh5bf9jnizd4h7yf110744j2-bash-4.3.42/bin/sh
# A hook script that prevents the user from pushing unsigned commits.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
z40=0000000000000000000000000000000000000000
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
:
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Check if push candidate commits are PGP signed.
git verify-commit $(git rev-list $range) >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo "error: Please sign these commits before pushing:" 1>&2
echo $range 1>&2
exit 1
fi
fi
done
exit 0
[-- Attachment #1.3: git-sign --]
[-- Type: text/plain, Size: 439 bytes --]
git-sign() {
case $# in
"0") range=HEAD ;;
"1") range=$1 ;;
* ) echo "too many arguments" 1>&2; return 1 ;;
esac
# In git-2.8.4, it should be possible to drop the -i option ,
# along with the override of EDITOR:
# https://git.kernel.org/cgit/git/git.git/commit/?h=next&id=78ec240020db4bdd773830f3d41f4b4bdf9a4e2d
EDITOR=true git rebase -i "$range" --exec "git commit --amend --no-edit --gpg-sign" \
|| git rebase --abort
}
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next reply other threads:[~2016-05-23 0:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-23 0:12 Leo Famulari [this message]
2016-05-23 21:45 ` Commit signing workflow Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160523001200.GA18233@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).