From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.)
Date: Tue, 3 Jan 2017 12:29:53 -0500 [thread overview]
Message-ID: <20170103172953.GB22250@jasmine> (raw)
In-Reply-To: <87pok4725k.fsf@gnu.org>
[-- Attachment #1.1: Type: text/plain, Size: 455 bytes --]
On Tue, Jan 03, 2017 at 01:34:31PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Mon, Jan 02, 2017 at 09:59:20PM +0100, Ludovic Courtès wrote:
> >> I’m all for adding it to the repo and recommending it in HACKING.
> >>
> >> Leo?
> >
> > I've attached a patch.
>
> Actually no. :-)
Oops! I'll try again ;)
> > I'm not sure where to store the hook.
>
> I’d say in a new etc/guix directory?
[-- Attachment #1.2: 0001-doc-Add-a-Git-hook-that-verifies-signatures-before-p.patch --]
[-- Type: text/plain, Size: 3135 bytes --]
From 837f7c717b201998810a46b8dadf8ba2165dde69 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 3 Jan 2017 01:19:25 -0500
Subject: [PATCH] doc: Add a Git hook that verifies signatures before pushing.
* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/guix/pre-push: New file.
---
HACKING | 5 +++++
etc/guix/pre-push | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+)
create mode 100755 etc/guix/pre-push
diff --git a/HACKING b/HACKING
index 28948b3e2..364eedf6b 100644
--- a/HACKING
+++ b/HACKING
@@ -4,6 +4,7 @@
Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
+Copyright © 2017 Leo Famulari <leo@famulari.name>
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
@@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
git config commit.gpgsign true
git config user.signingkey CABBA6EA1DC0FF33
+You can prevent yourself from accidentally pushing unsigned commits to Savannah
+by using the pre-push Git hook called 'pre-push'. It's located at
+'etc/guix/pre-push'.
+
For anything else, please post to guix-devel@gnu.org and leave time for a
review, without committing anything. If you didn’t receive any reply
after two weeks, and if you’re confident, it’s OK to commit.
diff --git a/etc/guix/pre-push b/etc/guix/pre-push
new file mode 100755
index 000000000..c894c5a9e
--- /dev/null
+++ b/etc/guix/pre-push
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# This hook script prevents the user from pushing to Savannah if any of the new
+# commits' OpenPGP signatures cannot be verified.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed. If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+# <local ref> <local sha1> <remote ref> <remote sha1>
+
+z40=0000000000000000000000000000000000000000
+
+# Only use the hook when pushing to Savannah.
+case "$2" in
+*git.sv.gnu.org*)
+ break
+ ;;
+*)
+ exit 0
+ ;;
+esac
+
+while read local_ref local_sha remote_ref remote_sha
+do
+ if [ "$local_sha" = $z40 ]
+ then
+ # Handle delete
+ :
+ else
+ if [ "$remote_sha" = $z40 ]
+ then
+ # New branch, examine all commits
+ range="$local_sha"
+ else
+ # Update to existing branch, examine new commits
+ range="$remote_sha..$local_sha"
+ fi
+
+ # Verify the signatures of all commits being pushed.
+ git verify-commit $(git rev-list $range) >/dev/null 2>&1
+
+ exit $?
+ fi
+done
+
+exit 0
--
2.11.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-01-03 17:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-29 2:10 Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.) Leo Famulari
2016-12-29 2:47 ` Leo Famulari
2016-12-29 3:04 ` Tobias Geerinckx-Rice
2016-12-29 17:13 ` Leo Famulari
2016-12-29 2:49 ` Tobias Geerinckx-Rice
2016-12-29 6:08 ` John Darrington
2016-12-29 6:39 ` Leo Famulari
2016-12-29 6:44 ` Leo Famulari
2016-12-29 7:38 ` Leo Famulari
2017-01-02 20:59 ` Ludovic Courtès
2017-01-03 6:24 ` Leo Famulari
2017-01-03 12:34 ` Ludovic Courtès
2017-01-03 17:29 ` Leo Famulari [this message]
2017-01-04 21:05 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170103172953.GB22250@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.