From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.) Date: Thu, 29 Dec 2016 01:44:59 -0500 Message-ID: <20161229064459.GA27432@jasmine> References: <20161229021015.GA16162@jasmine> <3cd2cda0-e1c7-9b6d-b04c-b31302a0fe45@tobias.gr> <20161229060818.GA29613@jocasta.intra> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52570) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cMUSW-0000lB-2v for guix-devel@gnu.org; Thu, 29 Dec 2016 01:45:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cMUST-0001xP-2C for guix-devel@gnu.org; Thu, 29 Dec 2016 01:45:04 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45752) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cMUSS-0001we-TW for guix-devel@gnu.org; Thu, 29 Dec 2016 01:45:00 -0500 Content-Disposition: inline In-Reply-To: <20161229060818.GA29613@jocasta.intra> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: John Darrington Cc: guix-devel@gnu.org --XF85m9dhOBO43t/C Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 29, 2016 at 07:08:18AM +0100, John Darrington wrote: > How did these commits get into the repository? Our repository is=20 > configured to reject unsigned commits. Can it be that it doesn't > actually check that the signature matches? !!! Here's a pre-push Git hook that should prevent unsigned commits from being pushed to any remote. I'd like to improve it to be applied selectively per-remote. --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=pre-push #!/gnu/store/b1yqjimbdh5bf9jnizd4h7yf110744j2-bash-4.3.42/bin/sh # A hook script that prevents the user from pushing unsigned commits. # Called by "git push" after it has checked the remote status, but before # anything has been pushed. If this script exits with a non-zero status nothing # will be pushed. # # This hook is called with the following parameters: # # $1 -- Name of the remote to which the push is being done # $2 -- URL to which the push is being done # # If pushing without using a named remote those arguments will be equal. # # Information about the commits which are being pushed is supplied as lines to # the standard input in the form: # # z40=0000000000000000000000000000000000000000 while read local_ref local_sha remote_ref remote_sha do if [ "$local_sha" = $z40 ] then # Handle delete : else if [ "$remote_sha" = $z40 ] then # New branch, examine all commits range="$local_sha" else # Update to existing branch, examine new commits range="$remote_sha..$local_sha" fi # Check if push candidate commits are PGP signed. git verify-commit $(git rev-list $range) >/dev/null 2>&1 exit $? fi done exit 0 --CE+1k2dSO48ffgeK-- --XF85m9dhOBO43t/C Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhksOsACgkQJkb6MLrK fwjQ/w//dw1VwLE07OvTfcdOPRzEHZoVL5R5lhs5oUOxktJkjDa5yjJEtkDfTWfQ Him8pPD9ZBvLgAkBWXLu2Vib3bZWqCuxMPPT5eoqANQtidwJvMF5OOJnxp4cfOLk gWJVwC6DkNvLk9jaO73eeGb3eHBOgVxbHwonELlETSkV+WsMUGJOth5wVdY4n7VI fdlCe0dYuWcQZ1CgF2jD8JhRXdA7jeISlcoxaibSR/LWzr7it2oCC8vUhmz43tq/ gS3Q/7vE3HV5Xh/0XDNe+0mwrGv0uQv2rNNdOqj3TNcf5QeSGF6bqP1josb9orjh ceO14guOuCdgJLVHp13FfoauTaQra8WRFK+Ee+FyX4O1D8gDGGhMdEYtAWMC6TYo Ram69+EZ6EbRAHeg+Pr963RxMd+dkMOXugCdlgTq8j2RbnFh+Mw4NIscbVr1vVZA dMhugRo+xE0R690Nj/YvMLPgZaovbnI0AuABkZ9ZEFClIGdvjYolYOTJ0riYLm23 QXd2UE3TMct6Q8zQpXK4o1+cNhYK1E75ZtdMz5xqtPGele9Hh2V5MnZPjQwyWgys h+BldFiveqHg4QhAA9LueIN1u7QVNn7oz4VF+ULIZkCYETuhMyoN5Dn6OUBUAJU0 Earq5d0cMrevfF18oBZvL6tfgpHF90AORheQTpCFxX8AlvYSGu0= =VhWM -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C--