3 # This hook script prevents the user from pushing to Savannah if any of the new
4 # commits' OpenPGP signatures cannot be verified.
6 # Called by "git push" after it has checked the remote status, but before
7 # anything has been pushed. If this script exits with a non-zero status nothing
10 # This hook is called with the following parameters:
12 # $1 -- Name of the remote to which the push is being done
13 # $2 -- URL to which the push is being done
15 # If pushing without using a named remote those arguments will be equal.
17 # Information about the commits which are being pushed is supplied as lines to
18 # the standard input in the form:
20 # <local ref> <local sha1> <remote ref> <remote sha1>
22 z40
=0000000000000000000000000000000000000000
24 # Only use the hook when pushing to Savannah.
34 while read local_ref local_sha remote_ref remote_sha
36 if [ "$local_sha" = $z40 ]
41 if [ "$remote_sha" = $z40 ]
43 # We are pushing a new branch. To prevent wasting too
44 # much time for this relatively rare case, we examine
45 # all commits since the first signed commit, rather than
46 # the full history. This check *will* fail, and the user
47 # will need to temporarily disable the hook to push the
49 range
="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha"
51 # Update to existing branch, examine new commits
52 range
="$remote_sha..$local_sha"
55 # Verify the signatures of all commits being pushed.
57 for commit
in $
(git rev-list
$range)
59 if ! git verify-commit
$commit >/dev
/null
2>&1
61 printf "%s failed signature check\n" $commit
HCoop / jackhill / guix / guix.git / blob