Commit | Line | Data |
---|---|---|
69355e12 LF |
1 | #!/bin/sh |
2 | ||
3 | # This hook script prevents the user from pushing to Savannah if any of the new | |
4 | # commits' OpenPGP signatures cannot be verified. | |
5 | ||
6 | # Called by "git push" after it has checked the remote status, but before | |
7 | # anything has been pushed. If this script exits with a non-zero status nothing | |
8 | # will be pushed. | |
9 | # | |
10 | # This hook is called with the following parameters: | |
11 | # | |
12 | # $1 -- Name of the remote to which the push is being done | |
13 | # $2 -- URL to which the push is being done | |
14 | # | |
15 | # If pushing without using a named remote those arguments will be equal. | |
16 | # | |
17 | # Information about the commits which are being pushed is supplied as lines to | |
18 | # the standard input in the form: | |
19 | # | |
20 | # <local ref> <local sha1> <remote ref> <remote sha1> | |
21 | ||
22 | z40=0000000000000000000000000000000000000000 | |
23 | ||
24 | # Only use the hook when pushing to Savannah. | |
25 | case "$2" in | |
26 | *git.sv.gnu.org*) | |
27 | break | |
28 | ;; | |
29 | *) | |
30 | exit 0 | |
31 | ;; | |
32 | esac | |
33 | ||
34 | while read local_ref local_sha remote_ref remote_sha | |
35 | do | |
36 | if [ "$local_sha" = $z40 ] | |
37 | then | |
38 | # Handle delete | |
39 | : | |
40 | else | |
41 | if [ "$remote_sha" = $z40 ] | |
42 | then | |
f0d0c5bb LF |
43 | # We are pushing a new branch. To prevent wasting too |
44 | # much time for this relatively rare case, we examine | |
45 | # all commits since the first signed commit, rather than | |
46 | # the full history. This check *will* fail, and the user | |
47 | # will need to temporarily disable the hook to push the | |
48 | # new branch. | |
49 | range="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha" | |
69355e12 LF |
50 | else |
51 | # Update to existing branch, examine new commits | |
52 | range="$remote_sha..$local_sha" | |
53 | fi | |
54 | ||
55 | # Verify the signatures of all commits being pushed. | |
f0d0c5bb LF |
56 | ret=0 |
57 | for commit in $(git rev-list $range) | |
58 | do | |
59 | if ! git verify-commit $commit >/dev/null 2>&1 | |
60 | then | |
61 | printf "%s failed signature check\n" $commit | |
62 | ret=1 | |
63 | fi | |
64 | done | |
65 | exit $ret | |
69355e12 LF |
66 | fi |
67 | done | |
68 | ||
69 | exit 0 |