#!/usr/bin/env bash

commit_Oh="0000000000000000000000000000000000000000"

export GNUPGHOME=/tmp/

# don't look at old stuff

oldstuff="--not --all"

while read oldrev newrev refname; do
  # echo "payload"
  echo $refname $oldrev $newrev

  # branch or tag get deleted
  if [ "$newrev" = "$commit_Oh" ]; then
    continue
  fi

  # Check for new branch or tag
  if [ "$oldrev" = "$commit_Oh" ]; then
    span=`git rev-list $newrev $oldstuff`
  else
    span=`git rev-list $oldrev..$newrev $oldstuff`
  fi

  for COMMIT in $span;
  do
    unsigned=$(git log --pretty="format:%G?" $COMMIT 2>&1)
    case $unsigned in
      [N])
         echo Commit $COMMIT was NOT signed by an OpenPGP key. REFUSING
         exit 1
      *)
         echo Commit $COMMIT was probably signed. Is it trusted?
    esac
  done
done
exit 0