On Thu, Dec 29, 2016 at 04:04:49AM +0100, Tobias Geerinckx-Rice wrote: > Signing seems to fail both seldom and pseudo-randomly. Oh, and > silently[1]. My favourite kind of bug. > > I'm guessing this is what happens: > > $ > $ git commit, am or cherry-pick && git log --show-signatures > ...everything looks good and signed! Let's push! > $ git fetch --all && git rebase upstream/master > ...now signing some non-HEAD commit silently fails... > $ git push upstream > ...badness. > > Good night, > > T G-R > > [1]: until you check the log, of course. > > PS: > nckx@ubuntu~$ $ /usr/bin/gpg2 --version > gpg (GnuPG) 2.1.15 > libgcrypt 1.7.2-beta > but I doubt that matters much now. I don't use Guix's gpg [yet].
It would be nice to figure out why it fails. It seems specific to your setup somehow (since there are no other broken signatures in the log), but I have no idea where to start. Perhaps with the beta version of libgcrypt. Especially since it seems specific to your setup, can you evaluate the pre-push hook that's attached, and start using the hook if you're satisfied that it's correct?
#!/bin/sh
# A hook script that prevents the user from pushing unsigned commits.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
z40=0000000000000000000000000000000000000000
# Only use the hook when pushing to Savannah.
case "$2" in
*git.sv.gnu.org*)
break
;;
*)
exit 0
;;
esac
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
:
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Check if push candidate commits are PGP signed.
git verify-commit $(git rev-list $range) >/dev/null 2>&1
exit $?
fi
done
exit 0
signature.asc
Description: PGP signature
