mirror of
https://gitlab.com/nonguix/nonguix.git
synced 2024-11-30 04:04:11 +01:00
Add git hook for checking commit signing.
This is analogue to what upstream Guix does in order to prevent invalid signed commits being pushed. * Makefile: New file. * etc/git/pre-push: New file. Co-authored-by: Wolf <wolf@wolfsden.cz>
This commit is contained in:
Jonathan Brielmaier
parent
25bcda2b91
commit
843e2d7d8d
2 changed files with 62 additions and 0 deletions
14
Makefile
Normal file
14
Makefile
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
# Copyright © 2022 Giacomo Leidi <goodoldpaul@autistici.org>
|
||||||
|
# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
|
||||||
|
# Copyright © 2024 Wolf <wolf@wolfsden.cz>
|
||||||
|
|
||||||
|
# nonguix channel
|
||||||
|
channel_intro_commit = 897c1a470da759236cc11798f4e0a5f7d4d59fbc
|
||||||
|
channel_intro_signer = 2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5
|
||||||
|
|
||||||
|
authenticate:
|
||||||
|
echo "Authenticating Git checkout..." ; \
|
||||||
|
guix git authenticate \
|
||||||
|
--cache-key=channels/nonguix --stats \
|
||||||
|
"$(channel_intro_commit)" "$(channel_intro_signer)"
|
||||||
48
etc/git/pre-push
Executable file
48
etc/git/pre-push
Executable file
|
|
@ -0,0 +1,48 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
|
||||||
|
# Copyright © 2024 Wolf <wolf@wolfsden.cz>
|
||||||
|
|
||||||
|
# This hook script prevents the user from pushing to GitLab if any of the new
|
||||||
|
# commits' OpenPGP signatures cannot be verified, or if a commit is signed
|
||||||
|
# with an unauthorized key.
|
||||||
|
|
||||||
|
# Called by "git push" after it has checked the remote status, but before
|
||||||
|
# anything has been pushed. If this script exits with a non-zero status nothing
|
||||||
|
# will be pushed.
|
||||||
|
#
|
||||||
|
# This hook is called with the following parameters:
|
||||||
|
#
|
||||||
|
# $1 -- Name of the remote to which the push is being done
|
||||||
|
# $2 -- URL to which the push is being done
|
||||||
|
#
|
||||||
|
# If pushing without using a named remote those arguments will be equal.
|
||||||
|
#
|
||||||
|
# Information about the commits which are being pushed is supplied as lines to
|
||||||
|
# the standard input in the form:
|
||||||
|
#
|
||||||
|
# <local ref> <local sha1> <remote ref> <remote sha1>
|
||||||
|
|
||||||
|
# This is the "empty hash" used by Git when pushing a branch deletion.
|
||||||
|
z40=0000000000000000000000000000000000000000
|
||||||
|
|
||||||
|
while read local_ref local_hash remote_ref remote_hash
|
||||||
|
do
|
||||||
|
# When deleting a remote branch, no commits are pushed to the remote, and
|
||||||
|
# thus there are no signatures to be verified.
|
||||||
|
if [ "$local_hash" != $z40 ]
|
||||||
|
then
|
||||||
|
# Only use the hook when pushing to the nonguix project on GitLab.
|
||||||
|
case "$2" in
|
||||||
|
*gitlab.com[:/]nonguix/*)
|
||||||
|
exec make authenticate
|
||||||
|
exit 127
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 0
|
||||||
Loading…
Reference in a new issue