01/01: doc: Add a Git hook that verifies signatures before pushing.

[Leo Famulari]

lfam pushed a commit to branch master
in repository guix.

commit 69355e1283d300a663fb639ec426f10f3feb404b
Author: Leo Famulari <address@hidden>
Date:   Tue Jan 3 01:19:25 2017 -0500

    doc: Add a Git hook that verifies signatures before pushing.
    
    * HACKING (Commit Access): Describe the pre-push Git hook.
    * etc/git/pre-push: New file.
---
 HACKING          |    5 +++++
 etc/git/pre-push |   57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/HACKING b/HACKING
index 28948b3..e210143 100644
--- a/HACKING
+++ b/HACKING
@@ -4,6 +4,7 @@
 
 Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <address@hidden>
 Copyright © 2015 Mathieu Lirzin <address@hidden>
+Copyright © 2017 Leo Famulari <address@hidden>
 
   Copying and distribution of this file, with or without modification,
   are permitted in any medium without royalty provided the copyright
@@ -43,6 +44,10 @@ configure Git to automatically sign commits, run:
   git config commit.gpgsign true
   git config user.signingkey CABBA6EA1DC0FF33
 
+You can prevent yourself from accidentally pushing unsigned commits to Savannah
+by using the pre-push Git hook called 'pre-push'. It's located at
+'etc/git/pre-push'.
+
 For anything else, please post to address@hidden and leave time for a
 review, without committing anything.  If you didn’t receive any reply
 after two weeks, and if you’re confident, it’s OK to commit.
diff --git a/etc/git/pre-push b/etc/git/pre-push
new file mode 100755
index 0000000..c894c5a
--- /dev/null
+++ b/etc/git/pre-push
@@ -0,0 +1,57 @@
+#!/bin/sh
+
+# This hook script prevents the user from pushing to Savannah if any of the new
+# commits' OpenPGP signatures cannot be verified.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status 
nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+z40=0000000000000000000000000000000000000000
+
+# Only use the hook when pushing to Savannah.
+case "$2" in
+*git.sv.gnu.org*)
+       break
+       ;;
+*)
+       exit 0
+       ;;
+esac
+
+while read local_ref local_sha remote_ref remote_sha
+do
+       if [ "$local_sha" = $z40 ]
+       then
+               # Handle delete
+               :
+       else
+               if [ "$remote_sha" = $z40 ]
+               then
+                       # New branch, examine all commits
+                       range="$local_sha"
+               else
+                       # Update to existing branch, examine new commits
+                       range="$remote_sha..$local_sha"
+               fi
+
+               # Verify the signatures of all commits being pushed.
+               git verify-commit $(git rev-list $range) >/dev/null 2>&1
+
+               exit $?
+       fi
+done
+
+exit 0