Re: Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.)

[Leo Famulari <leo@famulari.name>]

[-- Attachment #1.1: Type: text/plain, Size: 455 bytes --]

On Tue, Jan 03, 2017 at 01:34:31PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Mon, Jan 02, 2017 at 09:59:20PM +0100, Ludovic Courtès wrote:
> >> I’m all for adding it to the repo and recommending it in HACKING.
> >> 
> >> Leo?
> >
> > I've attached a patch.
> 
> Actually no.  :-)

Oops! I'll try again ;)

> > I'm not sure where to store the hook.
> 
> I’d say in a new etc/guix directory?

[-- Attachment #1.2: 0001-doc-Add-a-Git-hook-that-verifies-signatures-before-p.patch --]
[-- Type: text/plain, Size: 3135 bytes --]

From 837f7c717b201998810a46b8dadf8ba2165dde69 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 3 Jan 2017 01:19:25 -0500
Subject: [PATCH] doc: Add a Git hook that verifies signatures before pushing.

* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/guix/pre-push: New file.
---
 HACKING           |  5 +++++
 etc/guix/pre-push | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100755 etc/guix/pre-push

diff --git a/HACKING b/HACKING
index 28948b3e2..364eedf6b 100644
--- a/HACKING
+++ b/HACKING
@@ -4,6 +4,7 @@
 
 Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
 Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
+Copyright © 2017 Leo Famulari <leo@famulari.name>
 
   Copying and distribution of this file, with or without modification,
   are permitted in any medium without royalty provided the copyright
@@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
   git config commit.gpgsign true
   git config user.signingkey CABBA6EA1DC0FF33
 
+You can prevent yourself from accidentally pushing unsigned commits to Savannah
+by using the pre-push Git hook called 'pre-push'. It's located at
+'etc/guix/pre-push'.
+
 For anything else, please post to guix-devel@gnu.org and leave time for a
 review, without committing anything.  If you didn’t receive any reply
 after two weeks, and if you’re confident, it’s OK to commit.
diff --git a/etc/guix/pre-push b/etc/guix/pre-push
new file mode 100755
index 000000000..c894c5a9e
--- /dev/null
+++ b/etc/guix/pre-push
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# This hook script prevents the user from pushing to Savannah if any of the new
+# commits' OpenPGP signatures cannot be verified.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+z40=0000000000000000000000000000000000000000
+
+# Only use the hook when pushing to Savannah.
+case "$2" in
+*git.sv.gnu.org*)
+	break
+	;;
+*)
+	exit 0
+	;;
+esac
+
+while read local_ref local_sha remote_ref remote_sha
+do
+	if [ "$local_sha" = $z40 ]
+	then
+		# Handle delete
+		:
+	else
+		if [ "$remote_sha" = $z40 ]
+		then
+			# New branch, examine all commits
+			range="$local_sha"
+		else
+			# Update to existing branch, examine new commits
+			range="$remote_sha..$local_sha"
+		fi
+
+		# Verify the signatures of all commits being pushed.
+		git verify-commit $(git rev-list $range) >/dev/null 2>&1
+
+		exit $?
+	fi
+done
+
+exit 0
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]