Browse Source

Add script to verify all merge commits are signed

pull/118/head
Matt Corallo 6 years ago
parent
commit
73f696920b

+ 9
- 0
contrib/README.md View File

@@ -0,0 +1,9 @@
Repository Tools
---------------------

### [Developer tools](/contrib/devtools) ###
Specific tools for developers working on this repository.
Contains the script `github-merge.sh` for merging github pull requests securely and signing them using GPG.

### [Verify-Commits](/contrib/verify-commits) ###
Tool to verify that every merge commit was signed by a developer using the above `github-merge.sh` script.

+ 15
- 0
contrib/verify-commits/gpg.sh View File

@@ -0,0 +1,15 @@
#!/bin/sh
INPUT=$(</dev/stdin)
VALID=false
IFS=$'\n'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
case "$LINE" in "[GNUPG:] VALIDSIG"*)
while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
done < ./contrib/verify-commits/trusted-keys
esac
done
if ! $VALID; then
exit 1
fi
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null

+ 16
- 0
contrib/verify-commits/pre-push-hook.sh View File

@@ -0,0 +1,16 @@
#!/bin/bash
if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then
exit 0
fi

while read LINE; do
set -- A $LINE
if [ "$4" != "refs/heads/master" ]; then
continue
fi
if ! ./contrib/verify-commits/verify-commits.sh $3 > /dev/null 2>&1; then
echo "ERROR: A commit is not signed, can't push"
./contrib/verify-commits/verify-commits.sh
exit 1
fi
done < /dev/stdin

+ 1
- 0
contrib/verify-commits/trusted-git-root View File

@@ -0,0 +1 @@
053038e5ba116cb319fb85f3cb3e062cf1b3df15

+ 5
- 0
contrib/verify-commits/trusted-keys View File

@@ -0,0 +1,5 @@
71A3B16735405025D447E8F274810B012346C9A6
1F4410F6A89268CE3197A84C57896D2FF8F0B657
01CDF4627A3B88AAE4A571C87588242FBE38D3A8
AF8BE07C7049F3A26B239D5325B3083201782B2F
81291FA67D2C379A006A053FEAB5AF94D9E9ABE7

+ 51
- 0
contrib/verify-commits/verify-commits.sh View File

@@ -0,0 +1,51 @@
#!/bin/sh

DIR=$(dirname "$0")

echo "Please verify all commits in the following list are not evil:"
git log "$DIR"

VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")

HAVE_FAILED=false
IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then
return 0;
fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1;
fi
local PARENTS=$(git show -s --format=format:%P $1)
for PARENT in $PARENTS; do
if IS_SIGNED $PARENT > /dev/null; then
return 0;
fi
done
if ! "$HAVE_FAILED"; then
echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
echo "Parents are:" > /dev/stderr
for PARENT in $PARENTS; do
git show -s $PARENT > /dev/stderr
done
HAVE_FAILED=true
fi
return 1;
}

if [ x"$1" = "x" ]; then
TEST_COMMIT="HEAD"
else
TEST_COMMIT="$1"
fi

IS_SIGNED "$TEST_COMMIT"
RES=$?
if [ "$RES" = 1 ]; then
if ! "$HAVE_FAILED"; then
echo "$TEST_COMMIT was not signed with a trusted key!"
fi
else
echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
fi

exit $RES

Loading…
Cancel
Save