bitmask wants only signed commits, hookscript

diff --git a/git/force-signed-commits-hook b/git/force-signed-commits-hook
new file mode 100644 (file)
index 0000000..f884399
--- /dev/null
+++ b/git/force-signed-commits-hook
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+commit_Oh="0000000000000000000000000000000000000000"
+
+export GNUPGHOME=/tmp/
+
+# don't look at old stuff
+
+oldstuff="--not --all"
+
+while read oldrev newrev refname; do
+  # echo "payload"
+  echo $refname $oldrev $newrev
+
+  # branch or tag get deleted
+  if [ "$newrev" = "$zero_commit" ]; then
+    continue
+  fi
+
+  # Check for new branch or tag
+  if [ "$oldrev" = "$zero_commit" ]; then
+    span=`git rev-list $newrev $excludeExisting`
+  else
+    span=`git rev-list $oldrev..$newrev $excludeExisting`
+  fi
+
+  for COMMIT in $span;
+  do
+    unsigned=$(git log --pretty="format:%G?" $COMMIT 2>&1)
+    case $unsigned in
+      [N])
+         echo Commit $COMMIT was NOT signed by an OpenPGP key. REFUSING
+         exit 1
+      *)
+         echo Commit $COMMIT was probably signed. Is it trusted?
+    esac
+  done
+done
+exit 0