git/force-signed-commits-hook


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

#!/usr/bin/env bash

commit_Oh="0000000000000000000000000000000000000000"

export GNUPGHOME=/tmp/

# don't look at old stuff

oldstuff="--not --all"

while read oldrev newrev refname; do
  # echo "payload"
  echo $refname $oldrev $newrev

  # branch or tag get deleted
  if [ "$newrev" = "$zero_commit" ]; then
    continue
  fi

  # Check for new branch or tag
  if [ "$oldrev" = "$zero_commit" ]; then
    span=`git rev-list $newrev $excludeExisting`
  else
    span=`git rev-list $oldrev..$newrev $excludeExisting`
  fi

  for COMMIT in $span;
  do
    unsigned=$(git log --pretty="format:%G?" $COMMIT 2>&1)
    case $unsigned in
      [N])
         echo Commit $COMMIT was NOT signed by an OpenPGP key. REFUSING
         exit 1
      *)
         echo Commit $COMMIT was probably signed. Is it trusted?
    esac
  done
done
exit 0