diff options
author | Leo Famulari <leo@famulari.name> | 2017-01-03 01:19:25 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-01-04 16:27:20 -0500 |
commit | 69355e1283d300a663fb639ec426f10f3feb404b (patch) | |
tree | 04586958f34dfc12beacc39ea6267e938d9f55c4 /etc/git | |
parent | 5f0fabec54812e9ebd9a54b7c24b29899c765548 (diff) | |
download | guix-69355e1283d300a663fb639ec426f10f3feb404b.tar.gz |
doc: Add a Git hook that verifies signatures before pushing.
* HACKING (Commit Access): Describe the pre-push Git hook. * etc/git/pre-push: New file.
Diffstat (limited to 'etc/git')
-rwxr-xr-x | etc/git/pre-push | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/etc/git/pre-push b/etc/git/pre-push new file mode 100755 index 0000000000..c894c5a9ec --- /dev/null +++ b/etc/git/pre-push @@ -0,0 +1,57 @@ +#!/bin/sh + +# This hook script prevents the user from pushing to Savannah if any of the new +# commits' OpenPGP signatures cannot be verified. + +# Called by "git push" after it has checked the remote status, but before +# anything has been pushed. If this script exits with a non-zero status nothing +# will be pushed. +# +# This hook is called with the following parameters: +# +# $1 -- Name of the remote to which the push is being done +# $2 -- URL to which the push is being done +# +# If pushing without using a named remote those arguments will be equal. +# +# Information about the commits which are being pushed is supplied as lines to +# the standard input in the form: +# +# <local ref> <local sha1> <remote ref> <remote sha1> + +z40=0000000000000000000000000000000000000000 + +# Only use the hook when pushing to Savannah. +case "$2" in +*git.sv.gnu.org*) + break + ;; +*) + exit 0 + ;; +esac + +while read local_ref local_sha remote_ref remote_sha +do + if [ "$local_sha" = $z40 ] + then + # Handle delete + : + else + if [ "$remote_sha" = $z40 ] + then + # New branch, examine all commits + range="$local_sha" + else + # Update to existing branch, examine new commits + range="$remote_sha..$local_sha" + fi + + # Verify the signatures of all commits being pushed. + git verify-commit $(git rev-list $range) >/dev/null 2>&1 + + exit $? + fi +done + +exit 0 |