From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Commit signing workflow Date: Sun, 22 May 2016 20:12:00 -0400 Message-ID: <20160523001200.GA18233@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TiqCXmo5T1hvSQQg" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33139) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b4dZj-0001yR-Lx for guix-devel@gnu.org; Sun, 22 May 2016 20:18:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b4dZf-0005Nn-Gp for guix-devel@gnu.org; Sun, 22 May 2016 20:18:27 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:37487) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b4dZd-0005Kz-TQ for guix-devel@gnu.org; Sun, 22 May 2016 20:18:23 -0400 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id AF4CAF29EF for ; Sun, 22 May 2016 20:18:13 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --TiqCXmo5T1hvSQQg Content-Type: multipart/mixed; boundary="7iMSBzlTiPOCCT2k" Content-Disposition: inline --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: inline As requested in the discussion on "Trustable guix pull" [0], I've recently started signing the commits I push to Savannah. At first, I set "gpgsign = true" in my Guix repo's Git config. This requires you to sign every commit you make. It's effective, but I found it annoying to provide my signing key while doing exploratory hacking, rebasing a branch on master, etc. Instead, I want to sign after my final "self-review" and before pushing to Savannah or sending patches to the list for final review. So, I've attached a pre-push Git hook that should prevent unsigned commits from being pushed to any remote [1]. I've also attached a shell function that will sign commits besides HEAD (useful for signing a range of commits). I didn't find a more Git-idiomatic way to sign an existing commit besides HEAD. Please let me know if you see any problems with this approach, or if you can suggest some improvements. [0] http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#16 [1] One could make it remote-specific if desired. --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=pre-push #!/gnu/store/b1yqjimbdh5bf9jnizd4h7yf110744j2-bash-4.3.42/bin/sh # A hook script that prevents the user from pushing unsigned commits. # Called by "git push" after it has checked the remote status, but before # anything has been pushed. If this script exits with a non-zero status nothing # will be pushed. # # This hook is called with the following parameters: # # $1 -- Name of the remote to which the push is being done # $2 -- URL to which the push is being done # # If pushing without using a named remote those arguments will be equal. # # Information about the commits which are being pushed is supplied as lines to # the standard input in the form: # # z40=0000000000000000000000000000000000000000 while read local_ref local_sha remote_ref remote_sha do if [ "$local_sha" = $z40 ] then # Handle delete : else if [ "$remote_sha" = $z40 ] then # New branch, examine all commits range="$local_sha" else # Update to existing branch, examine new commits range="$remote_sha..$local_sha" fi # Check if push candidate commits are PGP signed. git verify-commit $(git rev-list $range) >/dev/null 2>&1 if [ $? -ne 0 ] then echo "error: Please sign these commits before pushing:" 1>&2 echo $range 1>&2 exit 1 fi fi done exit 0 --7iMSBzlTiPOCCT2k Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=git-sign git-sign() { case $# in "0") range=HEAD ;; "1") range=$1 ;; * ) echo "too many arguments" 1>&2; return 1 ;; esac # In git-2.8.4, it should be possible to drop the -i option , # along with the override of EDITOR: # https://git.kernel.org/cgit/git/git.git/commit/?h=next&id=78ec240020db4bdd773830f3d41f4b4bdf9a4e2d EDITOR=true git rebase -i "$range" --exec "git commit --amend --no-edit --gpg-sign" \ || git rebase --abort } --7iMSBzlTiPOCCT2k-- --TiqCXmo5T1hvSQQg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXQkrQAAoJECZG+jC6yn8IVrYQANCRdLxA6VS7Sn8oSq4Tu9hg gHyJmuy7iQHHkpuyc7HvIxY9NP5TmAzglVkkWe6gnFuRm3oGGadcQEgJtpqqxvv/ 2twZUA2sVXpBiaVJqn6WFyFCSLB/5P+7KHiGIcjLUNHIh8wV61tgp4lbySRvxGE1 dwsjlFOD+QcRxSHDMaN7OOZS1tEg8gKUjxDDueEunVLGwfAkkninDclKbGoq8J+d XJvyLq+h8u5VAAyONgyEfNpJ1MRora3sWEtqwqm2R9GSl12hd0/TFM5rEfm8u/YZ i/qdkjwcDB9nbMon6COWYNeBgvDx0F2B3RYHI6UYiC7N31FHoHFaXRRqvZ+kHNvs X48BecuDSqYUZUg+jKdbiEfvYRYPwof/ugzFHFDIoI1NBioicsjVg/237eSECn6p OZ0L6mq7AvEbDAQYgAxdTQwpVrZkJqv7odr/fL4+Pz9NWZKpj+GTajhwDwgKpll6 x+NjkNIj1RJ9gTEM8PpLRWy0HQBmB/PMjWk41opcj0btcTZOSUDfUK03aktf2na1 pVjB9iXBhFJ2pzfmWAkwX32XrLFUX7/D42yk+xstxl1ScnbpxIhqL2l8NN0CuWw3 CS9wh60ajsOus2pOTi89D/h7D55OYRkSvzi0VotVtU+9xFtAjTh0ayAQzLEepILB ce2ubNkz+SS+Fa1L+3i6 =nyyB -----END PGP SIGNATURE----- --TiqCXmo5T1hvSQQg--