On Thu, Dec 29, 2016 at 07:08:18AM +0100, John Darrington wrote: > How did these commits get into the repository? Our repository is > configured to reject unsigned commits. Can it be that it doesn't > actually check that the signature matches? !!!
Here's a pre-push Git hook that should prevent unsigned commits from being pushed to any remote. I'd like to improve it to be applied selectively per-remote.
#!/gnu/store/b1yqjimbdh5bf9jnizd4h7yf110744j2-bash-4.3.42/bin/sh
# A hook script that prevents the user from pushing unsigned commits.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
z40=0000000000000000000000000000000000000000
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
:
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Check if push candidate commits are PGP signed.
git verify-commit $(git rev-list $range) >/dev/null 2>&1
exit $?
fi
done
exit 0
signature.asc
Description: PGP signature
