git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* RFC: update hook for GPG signed submission on secured branches
@ 2015-01-16 19:03 Jason Pyeron
  2015-01-16 19:33 ` Junio C Hamano
  0 siblings, 1 reply; 6+ messages in thread
From: Jason Pyeron @ 2015-01-16 19:03 UTC (permalink / raw)
  To: git

Dev & users:

I would like your feedback.

I am working on a continuous integration (CI) system for CipherShed.org and we want to allow any fork to submit their patch to our CI server farm which will do integration testing. We want it to be easy to submit code, but to not allow interference with other submitters branches or fetching of other people's (any for bandwidth and simplicity) branches.

What would you change? Any bugs that you see?

-Jason (no cc please, I am on the list)

Here are the 2 configs.

$ cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = true
[http]
        receivepack = true
        uploadpack = false
        getanyfile = false

$ cat hooks/update
#!/bin/bash

# (c) 2015 PD Inc. License found at http://www.apache.org/licenses/LICENSE-2.0 .

# --- Command line
refname="$1"
oldrev="$2"
newrev="$3"

# --- Safety check
if [ -z "$GIT_DIR" ]; then
        echo "Don't run this script from the command line." >&2
        echo " (if you want, you could supply GIT_DIR then run" >&2
        echo "  $0 <ref> <oldrev> <newrev>)" >&2
        exit 1
fi

if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
        echo "usage: $0 <ref> <oldrev> <newrev>" >&2
        exit 1
fi

sigkey=$(\
 git cat-file $newrev -p |\
 sed -e '/^ /{H;$!d;}; x;/^gpgsig /!d; s/^gpgsig//;' |\
 cut -c 2- |\
 gpg --list-packets --textmode |\
 sed '/keyid/!d; s/.*keyid \([0-9A-F]\{16\}\).*/\1/I' \
)

if [ -z "$sigkey" ]; then
        echo no GPG signature on commit $newrev
        exit 1
fi

if ! gpg -k "$sigkey" 2> /dev/null > /dev/null; then
        # "$sigkey" not known
        RES="$(gpg --keyserver hkp://pgp.mit.edu --recv-keys "$sigkey" 2>&1)"
        if [ $? -ne 0 ]; then
                echo "$RES"
                exit 1
        fi
fi

sigstatus=$(git log $newrev --pretty=format:%G? -n 1)

case "$sigstatus" in
        G)
                #ok, trusted
                ;;
        U)
                #ok, untrusted
                ;;
        *)
                #not ok
                echo sigstatus: $sigstatus
                git log $newrev --pretty=format:%GG -n 1
                exit 1;
                ;;
esac

if [[ $refname != refs/heads/* ]]; then
        echo only heads may be pushed, illegal ref: $refname
        exit 1;
fi

head="${refname:11}"

shopt -s nocasematch

case "$head" in
        ${sigkey}-*)
                #ok
                ;;
        ${sigkey}/*)
                #ok
                ;;
        ${sigkey:(-8)}-*)
                #ok
                ;;
        ${sigkey:(-8)}/*)
                #ok
                ;;
        *)
                #not your branch
                echo "you (a.k.a. $sigkey) are not authorized to push to branch: $head"
                echo "try making a branch like: $sigkey-... or $sigkey/*"
                echo "you can use a less secure ${sigkey:(-8)} too"
                exit 1
                ;;
esac

exit 0

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-01-16 22:50 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-16 19:03 RFC: update hook for GPG signed submission on secured branches Jason Pyeron
2015-01-16 19:33 ` Junio C Hamano
2015-01-16 19:41   ` Junio C Hamano
2015-01-16 19:47   ` Jason Pyeron
2015-01-16 19:59     ` John Keeping
2015-01-16 22:49     ` Junio C Hamano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).