all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.)
Date: Tue, 3 Jan 2017 12:29:53 -0500	[thread overview]
Message-ID: <20170103172953.GB22250@jasmine> (raw)
In-Reply-To: <87pok4725k.fsf@gnu.org>


[-- Attachment #1.1: Type: text/plain, Size: 455 bytes --]

On Tue, Jan 03, 2017 at 01:34:31PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Mon, Jan 02, 2017 at 09:59:20PM +0100, Ludovic Courtès wrote:
> >> I’m all for adding it to the repo and recommending it in HACKING.
> >> 
> >> Leo?
> >
> > I've attached a patch.
> 
> Actually no.  :-)

Oops! I'll try again ;)

> > I'm not sure where to store the hook.
> 
> I’d say in a new etc/guix directory?

[-- Attachment #1.2: 0001-doc-Add-a-Git-hook-that-verifies-signatures-before-p.patch --]
[-- Type: text/plain, Size: 3135 bytes --]

From 837f7c717b201998810a46b8dadf8ba2165dde69 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 3 Jan 2017 01:19:25 -0500
Subject: [PATCH] doc: Add a Git hook that verifies signatures before pushing.

* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/guix/pre-push: New file.
---
 HACKING           |  5 +++++
 etc/guix/pre-push | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100755 etc/guix/pre-push

diff --git a/HACKING b/HACKING
index 28948b3e2..364eedf6b 100644
--- a/HACKING
+++ b/HACKING
@@ -4,6 +4,7 @@
 
 Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
 Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
+Copyright © 2017 Leo Famulari <leo@famulari.name>
 
   Copying and distribution of this file, with or without modification,
   are permitted in any medium without royalty provided the copyright
@@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
   git config commit.gpgsign true
   git config user.signingkey CABBA6EA1DC0FF33
 
+You can prevent yourself from accidentally pushing unsigned commits to Savannah
+by using the pre-push Git hook called 'pre-push'. It's located at
+'etc/guix/pre-push'.
+
 For anything else, please post to guix-devel@gnu.org and leave time for a
 review, without committing anything.  If you didn’t receive any reply
 after two weeks, and if you’re confident, it’s OK to commit.
diff --git a/etc/guix/pre-push b/etc/guix/pre-push
new file mode 100755
index 000000000..c894c5a9e
--- /dev/null
+++ b/etc/guix/pre-push
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# This hook script prevents the user from pushing to Savannah if any of the new
+# commits' OpenPGP signatures cannot be verified.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+z40=0000000000000000000000000000000000000000
+
+# Only use the hook when pushing to Savannah.
+case "$2" in
+*git.sv.gnu.org*)
+	break
+	;;
+*)
+	exit 0
+	;;
+esac
+
+while read local_ref local_sha remote_ref remote_sha
+do
+	if [ "$local_sha" = $z40 ]
+	then
+		# Handle delete
+		:
+	else
+		if [ "$remote_sha" = $z40 ]
+		then
+			# New branch, examine all commits
+			range="$local_sha"
+		else
+			# Update to existing branch, examine new commits
+			range="$remote_sha..$local_sha"
+		fi
+
+		# Verify the signatures of all commits being pushed.
+		git verify-commit $(git rev-list $range) >/dev/null 2>&1
+
+		exit $?
+	fi
+done
+
+exit 0
-- 
2.11.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2017-01-03 17:29 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-29  2:10 Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.) Leo Famulari
2016-12-29  2:47 ` Leo Famulari
2016-12-29  3:04   ` Tobias Geerinckx-Rice
2016-12-29 17:13     ` Leo Famulari
2016-12-29  2:49 ` Tobias Geerinckx-Rice
2016-12-29  6:08   ` John Darrington
2016-12-29  6:39     ` Leo Famulari
2016-12-29  6:44     ` Leo Famulari
2016-12-29  7:38       ` Leo Famulari
2017-01-02 20:59   ` Ludovic Courtès
2017-01-03  6:24     ` Leo Famulari
2017-01-03 12:34       ` Ludovic Courtès
2017-01-03 17:29         ` Leo Famulari [this message]
2017-01-04 21:05           ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170103172953.GB22250@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.