doc: Add a Git hook that verifies signatures before pushing.

* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/git/pre-push: New file.
This commit is contained in:
Leo Famulari 2017-01-03 01:19:25 -05:00
parent 5f0fabec54
commit 69355e1283
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
2 changed files with 62 additions and 0 deletions

View File

@ -4,6 +4,7 @@
Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org> Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org> Copyright © 2015 Mathieu Lirzin <mthl@openmailbox.org>
Copyright © 2017 Leo Famulari <leo@famulari.name>
Copying and distribution of this file, with or without modification, Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright are permitted in any medium without royalty provided the copyright
@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
git config commit.gpgsign true git config commit.gpgsign true
git config user.signingkey CABBA6EA1DC0FF33 git config user.signingkey CABBA6EA1DC0FF33
You can prevent yourself from accidentally pushing unsigned commits to Savannah
by using the pre-push Git hook called 'pre-push'. It's located at
'etc/git/pre-push'.
For anything else, please post to guix-devel@gnu.org and leave time for a For anything else, please post to guix-devel@gnu.org and leave time for a
review, without committing anything. If you didnt receive any reply review, without committing anything. If you didnt receive any reply
after two weeks, and if youre confident, its OK to commit. after two weeks, and if youre confident, its OK to commit.

57
etc/git/pre-push Executable file
View File

@ -0,0 +1,57 @@
#!/bin/sh
# This hook script prevents the user from pushing to Savannah if any of the new
# commits' OpenPGP signatures cannot be verified.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
z40=0000000000000000000000000000000000000000
# Only use the hook when pushing to Savannah.
case "$2" in
*git.sv.gnu.org*)
break
;;
*)
exit 0
;;
esac
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
:
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Verify the signatures of all commits being pushed.
git verify-commit $(git rev-list $range) >/dev/null 2>&1
exit $?
fi
done
exit 0