* Commit signing workflow
@ 2016-05-23 0:12 Leo Famulari
2016-05-23 21:45 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2016-05-23 0:12 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 1024 bytes --]
As requested in the discussion on "Trustable guix pull" [0], I've
recently started signing the commits I push to Savannah.
At first, I set "gpgsign = true" in my Guix repo's Git config. This
requires you to sign every commit you make. It's effective, but I found
it annoying to provide my signing key while doing exploratory hacking,
rebasing a branch on master, etc.
Instead, I want to sign after my final "self-review" and before pushing
to Savannah or sending patches to the list for final review.
So, I've attached a pre-push Git hook that should prevent unsigned
commits from being pushed to any remote [1]. I've also attached a shell
function that will sign commits besides HEAD (useful for signing a range
of commits). I didn't find a more Git-idiomatic way to sign an existing
commit besides HEAD.
Please let me know if you see any problems with this approach, or if you
can suggest some improvements.
[0]
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#16
[1] One could make it remote-specific if desired.
[-- Attachment #1.2: pre-push --]
[-- Type: text/plain, Size: 1335 bytes --]
#!/gnu/store/b1yqjimbdh5bf9jnizd4h7yf110744j2-bash-4.3.42/bin/sh
# A hook script that prevents the user from pushing unsigned commits.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
z40=0000000000000000000000000000000000000000
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
:
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Check if push candidate commits are PGP signed.
git verify-commit $(git rev-list $range) >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo "error: Please sign these commits before pushing:" 1>&2
echo $range 1>&2
exit 1
fi
fi
done
exit 0
[-- Attachment #1.3: git-sign --]
[-- Type: text/plain, Size: 439 bytes --]
git-sign() {
case $# in
"0") range=HEAD ;;
"1") range=$1 ;;
* ) echo "too many arguments" 1>&2; return 1 ;;
esac
# In git-2.8.4, it should be possible to drop the -i option ,
# along with the override of EDITOR:
# https://git.kernel.org/cgit/git/git.git/commit/?h=next&id=78ec240020db4bdd773830f3d41f4b4bdf9a4e2d
EDITOR=true git rebase -i "$range" --exec "git commit --amend --no-edit --gpg-sign" \
|| git rebase --abort
}
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Commit signing workflow
2016-05-23 0:12 Commit signing workflow Leo Famulari
@ 2016-05-23 21:45 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2016-05-23 21:45 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Hello!
Leo Famulari <leo@famulari.name> skribis:
> As requested in the discussion on "Trustable guix pull" [0], I've
> recently started signing the commits I push to Savannah.
>
> At first, I set "gpgsign = true" in my Guix repo's Git config. This
> requires you to sign every commit you make. It's effective, but I found
> it annoying to provide my signing key while doing exploratory hacking,
> rebasing a branch on master, etc.
>
> Instead, I want to sign after my final "self-review" and before pushing
> to Savannah or sending patches to the list for final review.
I use ‘gpg-agent’, which IMO makes things rather convenient, but YMMV.
> So, I've attached a pre-push Git hook that should prevent unsigned
> commits from being pushed to any remote [1].
I like this one, thanks! :-)
> I've also attached a shell function that will sign commits besides
> HEAD (useful for signing a range of commits). I didn't find a more
> Git-idiomatic way to sign an existing commit besides HEAD.
>
> Please let me know if you see any problems with this approach, or if you
> can suggest some improvements.
It seems reasonable to me.
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-05-23 21:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-23 0:12 Commit signing workflow Leo Famulari
2016-05-23 21:45 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).