--- /dev/null
+#!/usr/bin/env bash
+
+commit_Oh="0000000000000000000000000000000000000000"
+
+export GNUPGHOME=/tmp/
+
+# don't look at old stuff
+
+oldstuff="--not --all"
+
+while read oldrev newrev refname; do
+ # echo "payload"
+ echo $refname $oldrev $newrev
+
+ # branch or tag get deleted
+ if [ "$newrev" = "$zero_commit" ]; then
+ continue
+ fi
+
+ # Check for new branch or tag
+ if [ "$oldrev" = "$zero_commit" ]; then
+ span=`git rev-list $newrev $excludeExisting`
+ else
+ span=`git rev-list $oldrev..$newrev $excludeExisting`
+ fi
+
+ for COMMIT in $span;
+ do
+ unsigned=$(git log --pretty="format:%G?" $COMMIT 2>&1)
+ case $unsigned in
+ [N])
+ echo Commit $COMMIT was NOT signed by an OpenPGP key. REFUSING
+ exit 1
+ *)
+ echo Commit $COMMIT was probably signed. Is it trusted?
+ esac
+ done
+done
+exit 0