From: "Ludovic Courtès" <ludo@gnu.org>
To: Guix Devel <guix-devel@gnu.org>
Subject: Updating the “pre-push” Git hook
Date: Fri, 22 May 2020 22:44:48 +0200 [thread overview]
Message-ID: <87imgn8zsv.fsf@gnu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 111 bytes --]
Hello Guix!
I think we should change our pre-push hook as shown below.
Thoughts?
Thanks,
Ludo’.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1816 bytes --]
diff --git a/etc/git/pre-push b/etc/git/pre-push
index 9206a2dfe5..415345fc75 100755
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@@ -1,7 +1,8 @@
#!/bin/sh
# This hook script prevents the user from pushing to Savannah if any of the new
-# commits' OpenPGP signatures cannot be verified.
+# commits' OpenPGP signatures cannot be verified, or if a commit is signed
+# with an unauthorized key.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
@@ -19,51 +20,13 @@
#
# <local ref> <local sha1> <remote ref> <remote sha1>
-z40=0000000000000000000000000000000000000000
-
# Only use the hook when pushing to Savannah.
case "$2" in
-*git.sv.gnu.org*)
- break
+ *.gnu.org*)
+ exec make authenticate check-channel-news
+ exit 127
;;
-*)
+ *)
exit 0
;;
esac
-
-while read local_ref local_sha remote_ref remote_sha
-do
- if [ "$local_sha" = $z40 ]
- then
- # Handle delete
- :
- else
- if [ "$remote_sha" = $z40 ]
- then
- # We are pushing a new branch. To prevent wasting too
- # much time for this relatively rare case, we examine
- # all commits since the first signed commit, rather than
- # the full history. This check *will* fail, and the user
- # will need to temporarily disable the hook to push the
- # new branch.
- range="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha"
- else
- # Update to existing branch, examine new commits
- range="$remote_sha..$local_sha"
- fi
-
- # Verify the signatures of all commits being pushed.
- ret=0
- for commit in $(git rev-list $range)
- do
- if ! git verify-commit $commit >/dev/null 2>&1
- then
- printf "%s failed signature check\n" $commit
- ret=1
- fi
- done
- exit $ret
- fi
-done
-
-exit 0
next reply other threads:[~2020-05-22 20:45 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 20:44 Ludovic Courtès [this message]
2020-05-22 21:17 ` Updating the “pre-push” Git hook Leo Famulari
2020-05-24 7:27 ` Ricardo Wurmus
2020-05-24 21:44 ` Ludovic Courtès
2020-05-25 9:50 ` Ricardo Wurmus
2020-05-25 22:04 ` Ludovic Courtès
2020-05-24 6:41 ` Efraim Flashner
2020-05-24 21:45 ` Ludovic Courtès
2020-05-25 5:50 ` Efraim Flashner
2020-05-25 21:31 ` Ludovic Courtès
2020-05-25 20:13 ` Vagrant Cascadian
2020-05-25 21:37 ` Ludovic Courtès
2020-05-26 16:41 ` Leo Famulari
2020-05-29 16:45 ` Heads-up: “pre-push” Git hook updated Ludovic Courtès
2020-05-29 17:07 ` Pierre Neidhardt
2020-05-29 18:39 ` Christopher Baines
2020-06-04 11:50 ` Ludovic Courtès
2020-06-04 18:33 ` Christopher Baines
2020-06-08 18:41 ` Vagrant Cascadian
2020-06-09 15:46 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87imgn8zsv.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).