From 64d5c5e5aef06d9dfef68a08040b5d97845253df Mon Sep 17 00:00:00 2001
From: kwadronaut <kwadronaut@leap.se>
Date: Wed, 15 Mar 2017 21:00:10 +0100
Subject: bitmask wants only signed commits, hookscript

---
 git/force-signed-commits-hook | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 git/force-signed-commits-hook

(limited to 'git')

diff --git a/git/force-signed-commits-hook b/git/force-signed-commits-hook
new file mode 100644
index 0000000..f884399
--- /dev/null
+++ b/git/force-signed-commits-hook
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+commit_Oh="0000000000000000000000000000000000000000"
+
+export GNUPGHOME=/tmp/
+
+# don't look at old stuff
+
+oldstuff="--not --all"
+
+while read oldrev newrev refname; do
+  # echo "payload"
+  echo $refname $oldrev $newrev
+
+  # branch or tag get deleted
+  if [ "$newrev" = "$zero_commit" ]; then
+    continue
+  fi
+
+  # Check for new branch or tag
+  if [ "$oldrev" = "$zero_commit" ]; then
+    span=`git rev-list $newrev $excludeExisting`
+  else
+    span=`git rev-list $oldrev..$newrev $excludeExisting`
+  fi
+
+  for COMMIT in $span;
+  do
+    unsigned=$(git log --pretty="format:%G?" $COMMIT 2>&1)
+    case $unsigned in
+      [N])
+         echo Commit $COMMIT was NOT signed by an OpenPGP key. REFUSING
+         exit 1
+      *)
+         echo Commit $COMMIT was probably signed. Is it trusted?
+    esac
+  done
+done
+exit 0
-- 
cgit v1.2.3