Commit signing workflow

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* Commit signing workflow
@ 2016-05-23  0:12 Leo Famulari
  2016-05-23 21:45 ` Ludovic Courtès
  0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2016-05-23  0:12 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1.1: Type: text/plain, Size: 1024 bytes --]

As requested in the discussion on "Trustable guix pull" [0], I've
recently started signing the commits I push to Savannah.

At first, I set "gpgsign = true" in my Guix repo's Git config. This
requires you to sign every commit you make. It's effective, but I found
it annoying to provide my signing key while doing exploratory hacking,
rebasing a branch on master, etc.

Instead, I want to sign after my final "self-review" and before pushing
to Savannah or sending patches to the list for final review.

So, I've attached a pre-push Git hook that should prevent unsigned
commits from being pushed to any remote [1]. I've also attached a shell
function that will sign commits besides HEAD (useful for signing a range
of commits). I didn't find a more Git-idiomatic way to sign an existing
commit besides HEAD.

Please let me know if you see any problems with this approach, or if you
can suggest some improvements.

[0]
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#16

[1] One could make it remote-specific if desired.

[-- Attachment #1.2: pre-push --]
[-- Type: text/plain, Size: 1335 bytes --]

#!/gnu/store/b1yqjimbdh5bf9jnizd4h7yf110744j2-bash-4.3.42/bin/sh

# A hook script that prevents the user from pushing unsigned commits.

# Called by "git push" after it has checked the remote status, but before
# anything has been pushed.  If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
#   <local ref> <local sha1> <remote ref> <remote sha1>

z40=0000000000000000000000000000000000000000

while read local_ref local_sha remote_ref remote_sha
do
	if [ "$local_sha" = $z40 ]
	then
		# Handle delete
		:
	else
		if [ "$remote_sha" = $z40 ]
		then
			# New branch, examine all commits
			range="$local_sha"
		else
			# Update to existing branch, examine new commits
			range="$remote_sha..$local_sha"
		fi

		# Check if push candidate commits are PGP signed.
		git verify-commit $(git rev-list $range) >/dev/null 2>&1

		if [ $? -ne 0 ]
		then
			echo "error: Please sign these commits before pushing:" 1>&2
			echo $range 1>&2

			exit 1
		fi

	fi
done

exit 0

[-- Attachment #1.3: git-sign --]
[-- Type: text/plain, Size: 439 bytes --]

git-sign() {
	case $# in
		"0") range=HEAD ;;
		"1") range=$1 ;;
		 * ) echo "too many arguments" 1>&2; return 1 ;;
	esac

	# In git-2.8.4, it should be possible to drop the -i option ,
	# along with the override of EDITOR:
	# https://git.kernel.org/cgit/git/git.git/commit/?h=next&id=78ec240020db4bdd773830f3d41f4b4bdf9a4e2d
	EDITOR=true git rebase -i "$range" --exec "git commit --amend --no-edit --gpg-sign" \
		|| git rebase --abort
}

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Commit signing workflow
  2016-05-23  0:12 Commit signing workflow Leo Famulari
@ 2016-05-23 21:45 ` Ludovic Courtès
  0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2016-05-23 21:45 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Hello!

Leo Famulari <leo@famulari.name> skribis:

> As requested in the discussion on "Trustable guix pull" [0], I've
> recently started signing the commits I push to Savannah.
>
> At first, I set "gpgsign = true" in my Guix repo's Git config. This
> requires you to sign every commit you make. It's effective, but I found
> it annoying to provide my signing key while doing exploratory hacking,
> rebasing a branch on master, etc.
>
> Instead, I want to sign after my final "self-review" and before pushing
> to Savannah or sending patches to the list for final review.

I use ‘gpg-agent’, which IMO makes things rather convenient, but YMMV.

> So, I've attached a pre-push Git hook that should prevent unsigned
> commits from being pushed to any remote [1].

I like this one, thanks!  :-)

> I've also attached a shell function that will sign commits besides
> HEAD (useful for signing a range of commits). I didn't find a more
> Git-idiomatic way to sign an existing commit besides HEAD.
>
> Please let me know if you see any problems with this approach, or if you
> can suggest some improvements.

It seems reasonable to me.

Ludo’.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-05-23 21:45 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-23  0:12 Commit signing workflow Leo Famulari
2016-05-23 21:45 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).