[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories
From: |
Mike Gerwitz |
Subject: |
bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories |
Date: |
Sun, 7 Aug 2016 05:53:39 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 |
Follow-up Comment #4, sr #109104 (project administration):
Unfortunately, this hook can be easily defeated. Here's some example output
from the current tip of master:
$ git cat-file -p HEAD
tree c65e675351fe76b2630df24eddcb2449774eb344
parent e87c7ec2de815f05d7a84e2792e2da700bb26a38
author Leo Famulari <address@hidden> 1470169005 -0400
committer Leo Famulari <address@hidden> 1470538536 -0400
gpgsig -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5
5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B
8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL
c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D
kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV
lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC
vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl
BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6
I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9
dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr
pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR
HGWK/43B5syf6FhZws8N
=h+H0
-----END PGP SIGNATURE-----
gnu: Add python-pythondialog.
* gnu/packages/python.scm (python-pythondialog): New variable.
(python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG.
Co-authored-by: Vincent Legoll <address@hidden>
The hook currently greps for `^gpgsig '. It will indeed find a GPG signature
if it exists, but to circumvent it, an attacker need only put `gpgsig' in the
commit message at column 0---the commit messages aren't indented in the
output.
You can replace the entire loop in the hook with this:
git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \
| awk '/^ / {
e=1
print "error: missing signature:" $0 > "/dev/stderr"
}
END { exit e }'
If the commit is not signed, then `%GK` (GPG key id) will yield an empty
string.
Here's some example output (run with HEAD~15..):
error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm.
error: missing signature: 7977d76 Update NEWS.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?109104>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- bug#22883: [sr #109104] Add Git 'update' hook for Guix repositories,
Mike Gerwitz <=