summary refs log tree commit diff
path: root/etc/git/pre-push
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-01-03 01:19:25 -0500
committerLeo Famulari <leo@famulari.name>2017-01-04 16:27:20 -0500
commit69355e1283d300a663fb639ec426f10f3feb404b (patch)
tree04586958f34dfc12beacc39ea6267e938d9f55c4 /etc/git/pre-push
parent5f0fabec54812e9ebd9a54b7c24b29899c765548 (diff)
downloadguix-69355e1283d300a663fb639ec426f10f3feb404b.tar.gz
doc: Add a Git hook that verifies signatures before pushing.
* HACKING (Commit Access): Describe the pre-push Git hook.
* etc/git/pre-push: New file.
Diffstat (limited to 'etc/git/pre-push')
-rwxr-xr-xetc/git/pre-push57
1 files changed, 57 insertions, 0 deletions
diff --git a/etc/git/pre-push b/etc/git/pre-push
new file mode 100755
index 0000000000..c894c5a9ec
--- /dev/null
+++ b/etc/git/pre-push
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# This hook script prevents the user from pushing to Savannah if any of the new
+# commits' OpenPGP signatures cannot be verified.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+z40=0000000000000000000000000000000000000000
+
+# Only use the hook when pushing to Savannah.
+case "$2" in
+*git.sv.gnu.org*)
+	break
+	;;
+*)
+	exit 0
+	;;
+esac
+
+while read local_ref local_sha remote_ref remote_sha
+do
+	if [ "$local_sha" = $z40 ]
+	then
+		# Handle delete
+		:
+	else
+		if [ "$remote_sha" = $z40 ]
+		then
+			# New branch, examine all commits
+			range="$local_sha"
+		else
+			# Update to existing branch, examine new commits
+			range="$remote_sha..$local_sha"
+		fi
+
+		# Verify the signatures of all commits being pushed.
+		git verify-commit $(git rev-list $range) >/dev/null 2>&1
+
+		exit $?
+	fi
+done
+
+exit 0