You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

verify-commits.sh 1.5KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162
  1. #!/bin/sh
  2. # Copyright (c) 2014-2016 The Bitcoin Core developers
  3. # Distributed under the MIT software license, see the accompanying
  4. # file COPYING or http://www.opensource.org/licenses/mit-license.php.
  5. # Not technically POSIX-compliant due to use of "local", but almost every
  6. # shell anyone uses today supports it, so its probably fine
  7. DIR=$(dirname "$0")
  8. [ "/${DIR#/}" != "$DIR" ] && DIR=$(dirname "$(pwd)/$0")
  9. VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
  10. REVSIG_ALLOWED=$(cat "${DIR}/allow-revsig-commits")
  11. HAVE_FAILED=false
  12. IS_SIGNED () {
  13. if [ $1 = $VERIFIED_ROOT ]; then
  14. return 0;
  15. fi
  16. if [ "${REVSIG_ALLOWED#*$1}" != "$REVSIG_ALLOWED" ]; then
  17. export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
  18. else
  19. export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
  20. fi
  21. if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
  22. return 1;
  23. fi
  24. local PARENTS
  25. PARENTS=$(git show -s --format=format:%P $1)
  26. for PARENT in $PARENTS; do
  27. if IS_SIGNED $PARENT > /dev/null; then
  28. return 0;
  29. fi
  30. done
  31. if ! "$HAVE_FAILED"; then
  32. echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
  33. echo "Parents are:" > /dev/stderr
  34. for PARENT in $PARENTS; do
  35. git show -s $PARENT > /dev/stderr
  36. done
  37. HAVE_FAILED=true
  38. fi
  39. return 1;
  40. }
  41. if [ x"$1" = "x" ]; then
  42. TEST_COMMIT="HEAD"
  43. else
  44. TEST_COMMIT="$1"
  45. fi
  46. IS_SIGNED "$TEST_COMMIT"
  47. RES=$?
  48. if [ "$RES" = 1 ]; then
  49. if ! "$HAVE_FAILED"; then
  50. echo "$TEST_COMMIT was not signed with a trusted key!"
  51. fi
  52. else
  53. echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
  54. fi
  55. exit $RES