diff options
| -rwxr-xr-x | local/require-signed-push | 98 |
1 files changed, 49 insertions, 49 deletions
diff --git a/local/require-signed-push b/local/require-signed-push index 5584700..ec9cb41 100755 --- a/local/require-signed-push +++ b/local/require-signed-push @@ -6,48 +6,48 @@ die() { echo "$@" >&2; exit 1; } warn() { echo "$@" >&2; } fail_signed_push() { - warn "$@" - warn "Your push was not signed with a known key." - warn "You MUST use git push --signed with a known key." - warn "Known keys are the subkeys of all primary keys in LDAP." - warn "If you add a new (primary) key to LDAP, please ask Infra to sync gitolite." - warn "If you modified your key and uploaded to keyservers, please wait 15 minutes for sync." + warn "$@" + warn "Your push was not signed with a known key." + warn "You MUST use git push --signed with a known key." + warn "Known keys are the subkeys of all primary keys in LDAP." + warn "If you add a new (primary) key to LDAP, please ask Infra to sync gitolite." + warn "If you modified your key and uploaded to keyservers, please wait 15 minutes for sync." warn "If you haven't done either of these things, please see https://wiki.gentoo.org/wiki/Project:Gentoo-keys/Generating_GLEP_63_based_OpenPGP_keys#Next_steps" - warn "git-receive-pack variables:" - for var in \ - GIT_PUSH_CERT \ - GIT_PUSH_CERT_KEY \ - GIT_PUSH_CERT_NONCE \ - GIT_PUSH_CERT_NONCE_SLOP \ - GIT_PUSH_CERT_NONCE_STATUS \ - GIT_PUSH_CERT_SIGNER \ - GIT_PUSH_CERT_STATUS \ - ; do - warn "$var='${!var}'" - done - if [ -n "${GIT_PUSH_CERT}" ]; then - warn "A push-cert was found, and follows:" - warn "=====" - git --no-pager show "$GIT_PUSH_CERT" - warn "=====" - fi - exit 1 + warn "git-receive-pack variables:" + for var in \ + GIT_PUSH_CERT \ + GIT_PUSH_CERT_KEY \ + GIT_PUSH_CERT_NONCE \ + GIT_PUSH_CERT_NONCE_SLOP \ + GIT_PUSH_CERT_NONCE_STATUS \ + GIT_PUSH_CERT_SIGNER \ + GIT_PUSH_CERT_STATUS \ + ; do + warn "$var='${!var}'" + done + if [ -n "${GIT_PUSH_CERT}" ]; then + warn "A push-cert was found, and follows:" + warn "=====" + git --no-pager show "$GIT_PUSH_CERT" + warn "=====" + fi + exit 1 } log_git_push() { - s="" - for var in \ - GIT_PUSH_CERT \ - GIT_PUSH_CERT_KEY \ - GIT_PUSH_CERT_NONCE \ - GIT_PUSH_CERT_NONCE_SLOP \ - GIT_PUSH_CERT_NONCE_STATUS \ - GIT_PUSH_CERT_SIGNER \ - GIT_PUSH_CERT_STATUS \ - ; do - s="${s} $var='${!var}'" - done - logger -t require-signed-push -p info "require-signed-push${s}" + s="" + for var in \ + GIT_PUSH_CERT \ + GIT_PUSH_CERT_KEY \ + GIT_PUSH_CERT_NONCE \ + GIT_PUSH_CERT_NONCE_SLOP \ + GIT_PUSH_CERT_NONCE_STATUS \ + GIT_PUSH_CERT_SIGNER \ + GIT_PUSH_CERT_STATUS \ + ; do + s="${s} $var='${!var}'" + done + logger -t require-signed-push -p info "require-signed-push${s}" } verify_committer_clock() { @@ -111,23 +111,23 @@ log_git_push # Now validate case $GIT_PUSH_CERT_STATUS in - # Good - G) ;; - # Bad - B) fail_signed_push "Bad signature" ;; - # Untrusted good - U) ;; # TODO: deny this later - #U) fail_signed_push "Good but untrusted signature" ;; - # No signature - N) + # Good + G) ;; + # Bad + B) fail_signed_push "Bad signature" ;; + # Untrusted good + U) ;; # TODO: deny this later + #U) fail_signed_push "Good but untrusted signature" ;; + # No signature + N) if [ -z "$GIT_PUSH_CERT" ]; then fail_signed_push "No signature found" else fail_signed_push "Signature found, but from unknown key (see push-cert)" fi ;; - # Future-proof - *) fail_signed_push "Unknown GIT_PUSH_CERT_STATUS" ;; + # Future-proof + *) fail_signed_push "Unknown GIT_PUSH_CERT_STATUS" ;; esac # Check the user clock as well. |