From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: pre-push signature hook error reporting Date: Mon, 6 Feb 2017 16:39:22 +0100 Message-ID: <20170206153922.GA10240@jasmine> References: <20170105161431.9803-1-dannym@scratchpost.org> <878tqpjw93.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <8760lj5eb6.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170113152400.GA24322@jasmine> <20170117031414.GB23513@jasmine> <87o9z1aksp.fsf@gnu.org> <20170121013910.GC26714@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="v9Ux+11Zm5mwPlX6" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39712) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1calOD-00040R-3O for guix-devel@gnu.org; Mon, 06 Feb 2017 10:39:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1calO9-0003PF-VL for guix-devel@gnu.org; Mon, 06 Feb 2017 10:39:37 -0500 Content-Disposition: inline In-Reply-To: <20170121013910.GC26714@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: guix-devel@gnu.org --v9Ux+11Zm5mwPlX6 Content-Type: multipart/mixed; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 20, 2017 at 03:05:42PM +0100, Ludovic Court=E8s wrote: > For the pre-push hook, the overhead seems reasonable (perhaps we could > limit the range to commits after the first signed commit to avoid > looping for no reason?) and an improvement. Here is a patch for the hook that I've been using for the past couple weeks. For the common use case of pushing new commits to an existing branch, I don't notice the hook at all, except when it catches my mistakes. --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-etc-The-pre-push-hook-says-which-commits-failed-the-.patch" Content-Transfer-Encoding: quoted-printable =46rom 7d8206949f98a121bb2d50e0eecfcba1d9cce27a Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 23 Jan 2017 00:57:46 -0500 Subject: [PATCH] etc: The pre-push hook says which commits failed the signature check. * etc/git/pre-push: Check each commit's signature individually so that we can report which commits fail the check. --- etc/git/pre-push | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/etc/git/pre-push b/etc/git/pre-push index c894c5a9e..9206a2dfe 100755 --- a/etc/git/pre-push +++ b/etc/git/pre-push @@ -40,17 +40,29 @@ do else if [ "$remote_sha" =3D $z40 ] then - # New branch, examine all commits - range=3D"$local_sha" + # We are pushing a new branch. To prevent wasting too + # much time for this relatively rare case, we examine + # all commits since the first signed commit, rather than + # the full history. This check *will* fail, and the user + # will need to temporarily disable the hook to push the + # new branch. + range=3D"e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha" else # Update to existing branch, examine new commits range=3D"$remote_sha..$local_sha" fi =20 # Verify the signatures of all commits being pushed. - git verify-commit $(git rev-list $range) >/dev/null 2>&1 - - exit $? + ret=3D0 + for commit in $(git rev-list $range) + do + if ! git verify-commit $commit >/dev/null 2>&1 + then + printf "%s failed signature check\n" $commit + ret=3D1 + fi + done + exit $ret fi done =20 --=20 2.11.0 --a8Wt8u1KmwUX3Y2C-- --v9Ux+11Zm5mwPlX6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAliYmKoACgkQJkb6MLrK fwhy0xAAqhUnoAZSAAi4at9jQjTaaYWhYOfGqAplbRP33mBALO38sJnbkfNtZoO7 veLLK7e30GIzUtH0OyMWOty0ml5ARXvaT/mGHydsUFmIuv9wQZEU5XBz46pFu1F6 Dh3LwXzCdLLRjgmRbbenc7ofIdqLyLrnPifx0ENk0Sl8VaYsk2qlEqxS3aLCmQhx h6hTjzH50K77pN6DKLT7JFj3VzJIF7pGUZ+hL++t4BSnCE+bXupSXc6ElpEEYcys edIQYJ5H4kyN2zpxptdbjEB8qAca7idOBsiRwMWmXEtMwOaG6Tc0ujzMIymuZH42 5BGzqwt008hU0/Z/4kPmdvsimHxxzZ0C4iIdN5kUu17xTR+piBsO9EHqiNB6Mnvh m7O0JMpNreFuQvXELivB3tKxcd95TYemOLe7S8aCtZQRZOD6RqTQSkTmP4k1IQOd 2VXPKe6hcfwncxO5FCPIkf3EPAdjj8dufTl1bSSY7h0BXBjXlCt6Jc7VjaqnzB7r Oz6sCYs99K6RRhE6J8Wr8xAr6zaSNpAxIgFGtAzrgR1wibCSVHerGKIy90ZBljeL mf1P9W1vyVSFafCuAK1rU6dgPGdKLSMzLyumQ3VYJ4cowCRSFSGMqI8kIdmvHl89 a+HYv2JtUN7kFo+YF7k5wk/Im4kS+WJqeNMAzg1FHDq3GbYLnAQ= =QT4e -----END PGP SIGNATURE----- --v9Ux+11Zm5mwPlX6--