File tree Expand file tree Collapse file tree 6 files changed +114
-0
lines changed Expand file tree Collapse file tree 6 files changed +114
-0
lines changed Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+ INPUT=$( < /dev/stdin)
3+ VALID=false
4+ REVSIG=false
5+ IFS=$' \n '
6+ for LINE in $( echo " $INPUT " | gpg --trust-model always " $@ " 2> /dev/null) ; do
7+ case " $LINE " in
8+ " [GNUPG:] VALIDSIG " * )
9+ while read KEY; do
10+ case " $LINE " in " [GNUPG:] VALIDSIG $KEY " * ) VALID=true;; esac
11+ done < ./contrib/verify-commits/trusted-keys
12+ ;;
13+ " [GNUPG:] REVKEYSIG " * )
14+ [ " $BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG " != 1 ] && exit 1
15+ while read KEY; do
16+ case " $LINE " in " [GNUPG:] REVKEYSIG ${KEY: 24: 40} " * )
17+ REVSIG=true
18+ GOODREVSIG=" [GNUPG:] GOODSIG ${KEY: 24: 40} "
19+ ;;
20+ esac
21+ done < ./contrib/verify-commits/trusted-keys
22+ ;;
23+ esac
24+ done
25+ if ! $VALID ; then
26+ exit 1
27+ fi
28+ if $VALID && $REVSIG ; then
29+ echo " $INPUT " | gpg --trust-model always " $@ " | grep " \[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2> /dev/null
30+ echo " $GOODREVSIG "
31+ else
32+ echo " $INPUT " | gpg --trust-model always " $@ " 2> /dev/null
33+ fi
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+ if ! [[ " $2 " =~ ^(git@)? (www.)? github.com(:| /)petertodd/python-bitcoinlib(.git)? $ ]]; then
3+ exit 0
4+ fi
5+
6+ while read LINE; do
7+ set -- A $LINE
8+ if [ " $4 " != " refs/heads/master" ; then
9+ continue
10+ fi
11+ if ! ./contrib/verify-commits/verify-commits.sh $3 > /dev/null 2>&1 ; then
12+ echo " ERROR: A commit is not signed, can't push"
13+ ./contrib/verify-commits/verify-commits.sh
14+ exit 1
15+ fi
16+ done < /dev/stdin
Original file line number Diff line number Diff line change 1+ 22cc8167a98ea026b6a4fe16aa2adc2de17aa97f
Original file line number Diff line number Diff line change 1+ 15CC9446387233AF0104F6132481403DA5F091FB
2+ C5DDF20211D8F6E5F6E010F8C085F21CE7F4B9DC
3+ 14FCC76E05E775AAE61ABEFF9EC4568398C13B16
Original file line number Diff line number Diff line change 1+ #! /bin/bash
2+
3+ REALPATH=$( realpath " $0 " )
4+ DIR=$( dirname " $REALPATH " )
5+
6+ VERIFIED_ROOT=$( cat " ${DIR} /trusted-git-root" )
7+
8+ IS_REVSIG_ALLOWED () {
9+ while read LINE; do
10+ [ " $LINE " = " $1 " && return 0
11+ done < " ${DIR} /allow-revsig-commits"
12+ return 1
13+ }
14+
15+ HAVE_FAILED=false
16+ IS_SIGNED () {
17+ if [ $1 = $VERIFIED_ROOT ]; then
18+ return 0;
19+ fi
20+ if IS_REVSIG_ALLOWED " $1 " ; then
21+ export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
22+ else
23+ export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
24+ fi
25+ if ! git -c " gpg.program=${DIR} /gpg.sh" $1 > /dev/null 2>&1 ; then
26+ return 1;
27+ fi
28+ local PARENTS=$( git show -s --format=format:%P $1 )
29+ for PARENT in $PARENTS ; do
30+ if IS_SIGNED $PARENT > /dev/null; then
31+ return 0;
32+ fi
33+ done
34+ if ! " $HAVE_FAILED " ; then
35+ echo " No parent of $1 was signed with a trusted key!" > /dev/stderr
36+ echo " Parents are:" > /dev/stderr
37+ for PARENT in $PARENTS ; do
38+ git show -s $PARENT > /dev/stderr
39+ done
40+ HAVE_FAILED=true
41+ fi
42+ return 1;
43+ }
44+
45+ if [ x" $1 " = " x" ; then
46+ TEST_COMMIT=" HEAD"
47+ else
48+ TEST_COMMIT=" $1 "
49+ fi
50+
51+ IS_SIGNED " $TEST_COMMIT "
52+ RES=$?
53+ if [ " $RES " = 1 ]; then
54+ if ! " $HAVE_FAILED " ; then
55+ echo " $TEST_COMMIT was not signed with a trusted key!"
56+ fi
57+ else
58+ echo " There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
59+ fi
60+
61+ exit $RES
You can’t perform that action at this time.
0 commit comments