diff options
author | Jonathan Brielmaier <jonathan.brielmaier@web.de> | 2024-01-17 23:55:17 +0100 |
---|---|---|
committer | Jonathan Brielmaier <jonathan.brielmaier@web.de> | 2024-03-03 22:03:21 +0100 |
commit | 843e2d7d8d790a02035e90f34928b5c8840c6b9e (patch) | |
tree | a21d7079710e914138193912a0fb2487e32e4aac | |
parent | 25bcda2b9107b948a1c858e41aba1b7f95b76228 (diff) |
Add git hook for checking commit signing.make-authenticate
This is analogue to what upstream Guix does in order to prevent invalid
signed commits being pushed.
* Makefile: New file.
* etc/git/pre-push: New file.
Co-authored-by: Wolf <wolf@wolfsden.cz>
-rw-r--r-- | Makefile | 14 | ||||
-rwxr-xr-x | etc/git/pre-push | 48 |
2 files changed, 62 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e5f968b --- /dev/null +++ b/Makefile @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +# Copyright © 2022 Giacomo Leidi <goodoldpaul@autistici.org> +# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de> +# Copyright © 2024 Wolf <wolf@wolfsden.cz> + +# nonguix channel +channel_intro_commit = 897c1a470da759236cc11798f4e0a5f7d4d59fbc +channel_intro_signer = 2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5 + +authenticate: + echo "Authenticating Git checkout..." ; \ + guix git authenticate \ + --cache-key=channels/nonguix --stats \ + "$(channel_intro_commit)" "$(channel_intro_signer)" diff --git a/etc/git/pre-push b/etc/git/pre-push new file mode 100755 index 0000000..38a7240 --- /dev/null +++ b/etc/git/pre-push @@ -0,0 +1,48 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-3.0-or-later +# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de> +# Copyright © 2024 Wolf <wolf@wolfsden.cz> + +# This hook script prevents the user from pushing to GitLab if any of the new +# commits' OpenPGP signatures cannot be verified, or if a commit is signed +# with an unauthorized key. + +# Called by "git push" after it has checked the remote status, but before +# anything has been pushed. If this script exits with a non-zero status nothing +# will be pushed. +# +# This hook is called with the following parameters: +# +# $1 -- Name of the remote to which the push is being done +# $2 -- URL to which the push is being done +# +# If pushing without using a named remote those arguments will be equal. +# +# Information about the commits which are being pushed is supplied as lines to +# the standard input in the form: +# +# <local ref> <local sha1> <remote ref> <remote sha1> + +# This is the "empty hash" used by Git when pushing a branch deletion. +z40=0000000000000000000000000000000000000000 + +while read local_ref local_hash remote_ref remote_hash +do + # When deleting a remote branch, no commits are pushed to the remote, and + # thus there are no signatures to be verified. + if [ "$local_hash" != $z40 ] + then + # Only use the hook when pushing to the nonguix project on GitLab. + case "$2" in + *gitlab.com[:/]nonguix/*) + exec make authenticate + exit 127 + ;; + *) + exit 0 + ;; + esac + fi +done + +exit 0 |