пре 6 година · 73f696920b
--- a/contrib/README.md
+++ b/contrib/README.md
@@ -0,0 +1,9 @@
 Repository Tools
 ---------------------

 ### [Developer tools](/contrib/devtools) ###
 Specific tools for developers working on this repository.
 Contains the script `github-merge.sh` for merging github pull requests securely and signing them using GPG.

 ### [Verify-Commits](/contrib/verify-commits) ###
 Tool to verify that every merge commit was signed by a developer using the above `github-merge.sh` script.
--- a/contrib/verify-commits/gpg.sh
+++ b/contrib/verify-commits/gpg.sh
@@ -0,0 +1,15 @@
 #!/bin/sh
 INPUT=$(</dev/stdin)
 VALID=false
 IFS=$'\n'
 for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
 	case "$LINE" in "[GNUPG:] VALIDSIG"*)
 		while read KEY; do
 			case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
 		done < ./contrib/verify-commits/trusted-keys
 	esac
 done
 if ! $VALID; then
 	exit 1
 fi
 echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
--- a/contrib/verify-commits/pre-push-hook.sh
+++ b/contrib/verify-commits/pre-push-hook.sh
@@ -0,0 +1,16 @@
 #!/bin/bash
 if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then
    exit 0
 fi

 while read LINE; do
    set -- A $LINE
    if [ "$4" != "refs/heads/master" ]; then
        continue
    fi
    if ! ./contrib/verify-commits/verify-commits.sh $3 > /dev/null 2>&1; then
        echo "ERROR: A commit is not signed, can't push"
        ./contrib/verify-commits/verify-commits.sh
        exit 1
    fi
 done < /dev/stdin
--- a/contrib/verify-commits/trusted-git-root
+++ b/contrib/verify-commits/trusted-git-root
@@ -0,0 +1 @@
 053038e5ba116cb319fb85f3cb3e062cf1b3df15
--- a/contrib/verify-commits/trusted-keys
+++ b/contrib/verify-commits/trusted-keys
@@ -0,0 +1,5 @@
 71A3B16735405025D447E8F274810B012346C9A6
 1F4410F6A89268CE3197A84C57896D2FF8F0B657
 01CDF4627A3B88AAE4A571C87588242FBE38D3A8
 AF8BE07C7049F3A26B239D5325B3083201782B2F
 81291FA67D2C379A006A053FEAB5AF94D9E9ABE7
--- a/contrib/verify-commits/verify-commits.sh
+++ b/contrib/verify-commits/verify-commits.sh
@@ -0,0 +1,51 @@
 #!/bin/sh

 DIR=$(dirname "$0")

 echo "Please verify all commits in the following list are not evil:"
 git log "$DIR"

 VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")

 HAVE_FAILED=false
 IS_SIGNED () {
 	if [ $1 = $VERIFIED_ROOT ]; then
 		return 0;
 	fi
 	if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
 		return 1;
 	fi
 	local PARENTS=$(git show -s --format=format:%P $1)
 	for PARENT in $PARENTS; do
 		if IS_SIGNED $PARENT > /dev/null; then
 			return 0;
 		fi
 	done
 	if ! "$HAVE_FAILED"; then
 		echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
 		echo "Parents are:" > /dev/stderr
 		for PARENT in $PARENTS; do
 			git show -s $PARENT > /dev/stderr
 		done
 		HAVE_FAILED=true
 	fi
 	return 1;
 }

 if [ x"$1" = "x" ]; then
 	TEST_COMMIT="HEAD"
 else
 	TEST_COMMIT="$1"
 fi

 IS_SIGNED "$TEST_COMMIT"
 RES=$?
 if [ "$RES" = 1 ]; then
 	if ! "$HAVE_FAILED"; then
 		echo "$TEST_COMMIT was not signed with a trusted key!"
 	fi
 else
 	echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
 fi

 exit $RES