Add git hook for checking commit signing.make-authenticate

This is analogue to what upstream Guix does in order to prevent invalid
signed commits being pushed.

* Makefile: New file.
* etc/git/pre-push: New file.

Co-authored-by: Wolf <wolf@wolfsden.cz>

2 files changed, 62 insertions, 0 deletions

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..e5f968b
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2022 Giacomo Leidi <goodoldpaul@autistici.org>
+# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+# Copyright © 2024 Wolf <wolf@wolfsden.cz>
+
+# nonguix channel
+channel_intro_commit = 897c1a470da759236cc11798f4e0a5f7d4d59fbc
+channel_intro_signer = 2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5
+
+authenticate:
+	echo "Authenticating Git checkout..." ;	\
+	guix git authenticate					\
+	    --cache-key=channels/nonguix --stats			\
+	    "$(channel_intro_commit)" "$(channel_intro_signer)"
diff --git a/etc/git/pre-push b/etc/git/pre-push
new file mode 100755
index 0000000..38a7240
--- /dev/null
+++ b/etc/git/pre-push
@@ -0,0 +1,48 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+# Copyright © 2024 Wolf <wolf@wolfsden.cz>
+
+# This hook script prevents the user from pushing to GitLab if any of the new
+# commits' OpenPGP signatures cannot be verified, or if a commit is signed
+# with an unauthorized key.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+# This is the "empty hash" used by Git when pushing a branch deletion.
+z40=0000000000000000000000000000000000000000
+
+while read local_ref local_hash remote_ref remote_hash
+do
+  # When deleting a remote branch, no commits are pushed to the remote, and
+  # thus there are no signatures to be verified.
+  if [ "$local_hash" != $z40 ]
+  then
+    # Only use the hook when pushing to the nonguix project on GitLab.
+    case "$2" in
+      *gitlab.com[:/]nonguix/*)
+        exec make authenticate
+        exit 127
+        ;;
+      *)
+        exit 0
+        ;;
+    esac
+  fi
+done
+
+exit 0