diff options
author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2019-01-16 12:57:11 -0500 |
---|---|---|
committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2019-01-16 12:57:11 -0500 |
commit | 847a6e2c510f37ec4ed80e5d5ea6a1508bb3b750 (patch) | |
tree | 8bdfca931a12b3e765d257fce188d8f3804da47c | |
parent | 292d2312480960ae593af45bb1f2d7a27d82a9e5 (diff) | |
download | korg-helpers-847a6e2c510f37ec4ed80e5d5ea6a1508bb3b750.tar.gz |
Handle pre-push hook behaviour more properly
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rwxr-xr-x | git-verify-to-tip | 96 |
1 files changed, 68 insertions, 28 deletions
diff --git a/git-verify-to-tip b/git-verify-to-tip index 79778ab..17fcebd 100755 --- a/git-verify-to-tip +++ b/git-verify-to-tip @@ -5,6 +5,8 @@ # Verify PGP signatures on all (merge) commits from the last signed tag # or another arbitrary object in the repository history. # +# This script can be installed as hooks/pre-push. +# # Configurable parameters # ----------------------- # We always ensure the signing key is both GOOD and VALID, which means @@ -17,30 +19,32 @@ # ONLYKEYS="ABAF11C65A2970B130ABE3C479BE3E4300411886|647F28654894E3BD457199BE38DBBDC86092693E" ONLYKEYS= # -# When set to "" we start from the latest annotated tag we find. -# You can also list an arbitrary commit object here. -STARTFROM= -# # By default, we check signatures on every commit, but if you set this to # --merges, we will only check signatures on merges. You can also add any # other flags accepted by git-rev-list. REVFLAGS= # +# When set to "" we start from the latest annotated tag we find. +# You can also list an arbitrary commit object here. +# When running as hooks/pre-push, we ignore this entirely and use the +# information provided by git. +STARTFROM= +# # We can also get these parameters from the git config. E.g.: # [verify-to-tip] # onlykeys = ABAF11C65A2970B130ABE3C479BE3E4300411886|647F28654894E3BD457199BE38DBBDC86092693E -# startfrom = abcdef123456 # revflags = --merges +# startfrom = abcdef123456 # if [[ -z ${ONLYKEYS} ]]; then ONLYKEYS=$(git config --get verify-to-tip.onlykeys) fi -if [[ -z ${STARTFROM} ]]; then - STARTFROM=$(git config --get verify-to-tip.startfrom) -fi if [[ -z ${REVFLAGS} ]]; then REVFLAGS=$(git config --get verify-to-tip.revflags) fi +if [[ -z ${STARTFROM} ]]; then + STARTFROM=$(git config --get verify-to-tip.startfrom) +fi # End configuration @@ -60,31 +64,67 @@ function _verify_raw { return 1 } -if [[ -z ${STARTFROM} ]]; then - # verify the last annotated tag - STARTFROM=$(git describe --abbrev=0) - echo "Verifying tag ${STARTFROM}" - RAWOUT=$(git verify-tag --raw ${STARTFROM} 2>&1) -else - # verify the arbitrary commit provided - echo "Verifying commit ${STARTFROM}" - RAWOUT=$(git verify-commit --raw ${STARTFROM} 2>&1) -fi +function _verify_rev_range { + REVRANGE=${1} + REVFLAGS=${2} + for REV in $(git rev-list ${REVRANGE} ${REVFLAGS}); do + echo "Verifying $REV" + RAWOUT=$(git verify-commit --raw ${REV} 2>&1) + if ! _verify_raw "${RAWOUT}"; then + echo "CRITICAL: Object ${REV} did NOT verify." + return 1 + fi + done + return 0 +} -if ! _verify_raw "${RAWOUT}"; then - echo "CRITICAL: Starting object did NOT verify." - exit 1 -fi +# Are we running from hooks/pre-push? $1 and $2 should be set, then. +if [[ -z "${1}${2}" ]]; then + # Not running as a pre-push hook. + if [[ -z ${STARTFROM} ]]; then + # verify the last annotated tag + STARTFROM=$(git describe --abbrev=0) + echo "Verifying tag ${STARTFROM}" + RAWOUT=$(git verify-tag --raw ${STARTFROM} 2>&1) + else + # verify the arbitrary commit provided + echo "Verifying commit ${STARTFROM}" + RAWOUT=$(git verify-commit --raw ${STARTFROM} 2>&1) + fi -# Grab revisions from the starting object -for REV in $(git rev-list ${STARTFROM}..HEAD ${REVFLAGS}); do - echo "Verifying $REV" - RAWOUT=$(git verify-commit --raw ${REV} 2>&1) if ! _verify_raw "${RAWOUT}"; then - echo "CRITICAL: Object ${REV} did NOT verify." + echo "CRITICAL: Starting object did NOT verify." + exit 1 + fi + REVRANGE="${STARTFROM}..HEAD" + if ! _verify_rev_range "${REVRANGE}" "${REVFLAGS}"; then exit 1 fi -done +else + # We are in a pre-push hook + Z40="0000000000000000000000000000000000000000" + + while read LOCAL_REF LOCAL_SHA REMOTE_REF REMOTE_SHA; do + if [[ ${LOCAL_SHA} == ${Z40} ]]; then + # Ignore delete + continue + fi + if [[ ${REMOTE_SHA} == ${Z40} ]]; then + # New branch, examine all commits + REVRANGE=${LOCAL_SHA} + else + # Update to existing branch, examine new commits + REVRANGE="${REMOTE_SHA}..${LOCAL_SHA}" + fi + + if ! _verify_rev_range "${REVRANGE}" "${REVFLAGS}"; then + exit 1 + fi + + done +fi + +# Grab revisions from the starting object echo "Verified successfully." exit 0 |