64 lines
No EOL
1.8 KiB
Text
64 lines
No EOL
1.8 KiB
Text
!/usr/bin/env bash
|
|
|
|
#
|
|
# Pre-receive hook that will block any unsigned commits and tags when pushed.
|
|
# It will also only accept a list of predefined GPG keys fingerprints (your team)
|
|
#
|
|
# More details on GPG commit and tag signing can be found on
|
|
#
|
|
# https://help.github.com/articles/signing-commits-using-gpg/
|
|
#
|
|
|
|
# Use your authorized fingerprints!
|
|
|
|
|
|
|
|
authorized_keys_fingerprints=(
|
|
"0000000000000000000000000000000000000000"
|
|
"0000000000000000000000000000000000000001"
|
|
)
|
|
|
|
function join_by { local IFS="$1"; shift; echo "$*"; }
|
|
fingerprints_regex="($(join_by '|' ${authorized_keys_fingerprints[@]}))"
|
|
|
|
zero_commit="0000000000000000000000000000000000000000"
|
|
|
|
# we have to change the home directory of GPG
|
|
# as in the default environment, /root/.gnupg is not writeable
|
|
export GNUPGHOME=/tmp/
|
|
|
|
# Do not traverse over commits that are already in the repository
|
|
# (e.g. in a different branch)
|
|
# This prevents funny errors if pre-receive hooks got enabled after some
|
|
# commits got already in and then somebody tries to create a new branch
|
|
# If this is unwanted behavior, just set the variable to empty
|
|
excludeExisting="--not --all"
|
|
|
|
while read oldrev newrev refname; do
|
|
# echo "payload"
|
|
echo $refname $oldrev $newrev
|
|
|
|
# branch or tag get deleted
|
|
if [ "$newrev" = "$zero_commit" ]; then
|
|
continue
|
|
fi
|
|
|
|
# Check for new branch or tag
|
|
if [ "$oldrev" = "$zero_commit" ]; then
|
|
span=`git rev-list $newrev $excludeExisting`
|
|
else
|
|
span=`git rev-list $oldrev..$newrev $excludeExisting`
|
|
fi
|
|
|
|
for COMMIT in $span;
|
|
do
|
|
signed=$(git verify-commit --raw $COMMIT 2>&1 | grep -E "VALIDSIG $authorized_keys_fingerprints ")
|
|
if test -n "$signed"; then
|
|
echo Commit $COMMIT was signed by a GPG key: $signed
|
|
else
|
|
echo Commit $COMMIT was not signed by a GPG key, rejecting push
|
|
exit 1
|
|
fi
|
|
done
|
|
done
|
|
exit 0 |