From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: Bad signature on commit 6a34f4ccc8a5d (gnu: python-prompt-toolkit: Update to 1.0.9.) Date: Tue, 3 Jan 2017 12:29:53 -0500 Message-ID: <20170103172953.GB22250@jasmine> References: <20161229021015.GA16162@jasmine> <3cd2cda0-e1c7-9b6d-b04c-b31302a0fe45@tobias.gr> <87tw9hb2l3.fsf@gnu.org> <20170103062453.GA15431@jasmine> <87pok4725k.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="JP+T4n/bALQSJXh8" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33385) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOSuM-0001Ue-AC for guix-devel@gnu.org; Tue, 03 Jan 2017 12:29:59 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOSuI-0002ou-B2 for guix-devel@gnu.org; Tue, 03 Jan 2017 12:29:58 -0500 Content-Disposition: inline In-Reply-To: <87pok4725k.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --JP+T4n/bALQSJXh8 Content-Type: multipart/mixed; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 03, 2017 at 01:34:31PM +0100, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: >=20 > > On Mon, Jan 02, 2017 at 09:59:20PM +0100, Ludovic Court=C3=A8s wrote: > >> I=E2=80=99m all for adding it to the repo and recommending it in HACKI= NG. > >>=20 > >> Leo? > > > > I've attached a patch. >=20 > Actually no. :-) Oops! I'll try again ;) > > I'm not sure where to store the hook. >=20 > I=E2=80=99d say in a new etc/guix directory? --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-doc-Add-a-Git-hook-that-verifies-signatures-before-p.patch" Content-Transfer-Encoding: quoted-printable =46rom 837f7c717b201998810a46b8dadf8ba2165dde69 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Tue, 3 Jan 2017 01:19:25 -0500 Subject: [PATCH] doc: Add a Git hook that verifies signatures before pushin= g. * HACKING (Commit Access): Describe the pre-push Git hook. * etc/guix/pre-push: New file. --- HACKING | 5 +++++ etc/guix/pre-push | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++= ++++ 2 files changed, 62 insertions(+) create mode 100755 etc/guix/pre-push diff --git a/HACKING b/HACKING index 28948b3e2..364eedf6b 100644 --- a/HACKING +++ b/HACKING @@ -4,6 +4,7 @@ =20 Copyright =C2=A9 2012, 2013, 2014, 2016 Ludovic Court=C3=A8s Copyright =C2=A9 2015 Mathieu Lirzin +Copyright =C2=A9 2017 Leo Famulari =20 Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright @@ -43,6 +44,10 @@ configure Git to automatically sign commits, run: git config commit.gpgsign true git config user.signingkey CABBA6EA1DC0FF33 =20 +You can prevent yourself from accidentally pushing unsigned commits to Sav= annah +by using the pre-push Git hook called 'pre-push'. It's located at +'etc/guix/pre-push'. + For anything else, please post to guix-devel@gnu.org and leave time for a review, without committing anything. If you didn=E2=80=99t receive any re= ply after two weeks, and if you=E2=80=99re confident, it=E2=80=99s OK to commi= t. diff --git a/etc/guix/pre-push b/etc/guix/pre-push new file mode 100755 index 000000000..c894c5a9e --- /dev/null +++ b/etc/guix/pre-push @@ -0,0 +1,57 @@ +#!/bin/sh + +# This hook script prevents the user from pushing to Savannah if any of th= e new +# commits' OpenPGP signatures cannot be verified. + +# Called by "git push" after it has checked the remote status, but before +# anything has been pushed. If this script exits with a non-zero status n= othing +# will be pushed. +# +# This hook is called with the following parameters: +# +# $1 -- Name of the remote to which the push is being done +# $2 -- URL to which the push is being done +# +# If pushing without using a named remote those arguments will be equal. +# +# Information about the commits which are being pushed is supplied as line= s to +# the standard input in the form: +# +# + +z40=3D0000000000000000000000000000000000000000 + +# Only use the hook when pushing to Savannah. +case "$2" in +*git.sv.gnu.org*) + break + ;; +*) + exit 0 + ;; +esac + +while read local_ref local_sha remote_ref remote_sha +do + if [ "$local_sha" =3D $z40 ] + then + # Handle delete + : + else + if [ "$remote_sha" =3D $z40 ] + then + # New branch, examine all commits + range=3D"$local_sha" + else + # Update to existing branch, examine new commits + range=3D"$remote_sha..$local_sha" + fi + + # Verify the signatures of all commits being pushed. + git verify-commit $(git rev-list $range) >/dev/null 2>&1 + + exit $? + fi +done + +exit 0 --=20 2.11.0 --0OAP2g/MAC+5xKAE-- --JP+T4n/bALQSJXh8 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhr340ACgkQJkb6MLrK fwgX5RAAqb1OfAdl0PgmQwyBjk9862i2HSFJCUN4aEhgGfelCMopBfx3b+O7oMyp CyIQZ1IW0b2lADdtHAWmer87onRz+JYkeVCV6n7RStpfO+CZ3/VVNZef7PFbRhOg 6lTAqeSjaU+x1s97uXc/o38XnRU6avLqKzfLDFMxX8p3s6n715n3owaxlUlkvtJp D97lLThhmnZ6Cib7SKTcDDoJ3V8wwsUJ6p6ykb+hnTchnDYUOZVrl2Ra9wVP0ZuP mFqrPW205VgW5vqFRSDOY7IUOGS4e33XxBMj9kL5lmwywRC/PzwWqwU/MpER0qwO ByA2kTNRhKDS/iNdr4IWXSgDJ2HaeHUDvuCp6vTb0K3I2gRp1A8/SiRb65CvD6SB bKRAA3rJcgTb3qO4fPi2ufSq+vsFRYa6gdeA33ob0g9tHg59x6FbZY4efRdZaRMB KCBNKq45sVbWd1N3ZFIb7RA/uWNW8ai0K8vBA/m4ryHlhv3cj0FvY1EbFC9QdxSr 3mX+SNX/oIfygHerqA9pOXustWk2Ce9Shxvq8O+7I3Lj+ERgfuN6oV/aX6z/oSDU E2tQnZPhxUC1cNzhbZl6eJax+/dIHbrCv3kXAFjltvWmaeNsJrcZX2fYt/Dtejwp X2Bst6cctwLzQOzMelhTinZmSN9wSKJIXlzv9QRjN+4WbqIpXTo= =vpZz -----END PGP SIGNATURE----- --JP+T4n/bALQSJXh8--