On 12/30/2014 11:18 PM, Junio C Hamano wrote:
> Sitaram Chamarty <sitaramc@gmail.com> writes:
> 
>> Just wanted to say there's a little script at [1] that saves the certificate
>> blobs generated on the server side by "git push --signed".
>>
>> Quoting from the source:
>>
>> # Collects the cert blob on push and saves it, then, if a certain number of
>> # signed pushes have been seen, processes all the "saved" blobs in one go,
>> # adding them to the special ref 'refs/push-certs'.  This is done in a way
>> # that allows searching for all the certs pertaining to one specific branch
>> # (thanks to Junio Hamano for this idea plus general brainstorming).
>>
>> Note that although I posted it in the gitolite ML, this has very little to do
>> with gitolite.  Any git server can use it, with only one very minor change [2]
>> needed.
>>
>> sitaram
>>
>> [1]: https://groups.google.com/forum/#!topic/gitolite/7cSrU6JorEY
>>
>> [2]: Either set the GL_OPTIONS_GPC_PENDING environment variable by reading its
>> value from 'git config', or replace the only line that uses that variable, with
>> some other "test".
> 
> Nicely done.
> 
> We'd need to give you a tool to make it easy to create a "validated
> chain of certificates" out of
> 
>     $ git log refs/push-certs -- refs/heads/master
> 
> to make the history this script creates truly useful, but I think it
> is a very good start.
> 
> I can see that you tried to make the log output "human readable" by
> reformatting $cf, I am not sure if it gives us much value.  I would
> have expected that you would just use the blob contents for the log
> message as-is, so that
> 
>     $ git log --pretty=raw refs/push-certs -- refs/heads/master |
>       validate-cert-chain
> 
> can just work on blobs (shown in the "log" output) without having to
> extract the blobs by doing something like
> 
>     $ git rev-list refs/push-certs -- refs/heads/master |
>       while read commit
>       do
> 		git cat-file blob $commit:refs/heads/master |
>                 validate-cert
>       done

I see what you mean.  And it looks like using "--format=%B also works
pretty well.  Will fix.

> By the way, you seem to like "cat" too much, though.  You don't have
> to cat a single file into a pipeline.

Gee I hope Randal Schwartz is not on this list :)

Anyway the previous fix also removes most of them.

I'm attaching the current version so non-gitolite users can find it
without having to go to the gitolite repo.  For gitolite users, it's
somewhere in "contrib/" in the source tree.

sitaram

> Thanks.
>