diff options
| -rw-r--r-- | git/force-signed-commits-hook | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/git/force-signed-commits-hook b/git/force-signed-commits-hook new file mode 100644 index 0000000..f884399 --- /dev/null +++ b/git/force-signed-commits-hook @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +commit_Oh="0000000000000000000000000000000000000000" + +export GNUPGHOME=/tmp/ + +# don't look at old stuff + +oldstuff="--not --all" + +while read oldrev newrev refname; do + # echo "payload" + echo $refname $oldrev $newrev + + # branch or tag get deleted + if [ "$newrev" = "$zero_commit" ]; then + continue + fi + + # Check for new branch or tag + if [ "$oldrev" = "$zero_commit" ]; then + span=`git rev-list $newrev $excludeExisting` + else + span=`git rev-list $oldrev..$newrev $excludeExisting` + fi + + for COMMIT in $span; + do + unsigned=$(git log --pretty="format:%G?" $COMMIT 2>&1) + case $unsigned in + [N]) + echo Commit $COMMIT was NOT signed by an OpenPGP key. REFUSING + exit 1 + *) + echo Commit $COMMIT was probably signed. Is it trusted? + esac + done +done +exit 0 |