You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

verify-commits.sh 1.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
  1. #!/bin/sh
  2. DIR=$(dirname "$0")
  3. echo "Please verify all commits in the following list are not evil:"
  4. git log "$DIR"
  5. VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
  6. HAVE_FAILED=false
  7. IS_SIGNED () {
  8. if [ $1 = $VERIFIED_ROOT ]; then
  9. return 0;
  10. fi
  11. if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
  12. return 1;
  13. fi
  14. local PARENTS=$(git show -s --format=format:%P $1)
  15. for PARENT in $PARENTS; do
  16. if IS_SIGNED $PARENT > /dev/null; then
  17. return 0;
  18. fi
  19. done
  20. if ! "$HAVE_FAILED"; then
  21. echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
  22. echo "Parents are:" > /dev/stderr
  23. for PARENT in $PARENTS; do
  24. git show -s $PARENT > /dev/stderr
  25. done
  26. HAVE_FAILED=true
  27. fi
  28. return 1;
  29. }
  30. if [ x"$1" = "x" ]; then
  31. TEST_COMMIT="HEAD"
  32. else
  33. TEST_COMMIT="$1"
  34. fi
  35. IS_SIGNED "$TEST_COMMIT"
  36. RES=$?
  37. if [ "$RES" = 1 ]; then
  38. if ! "$HAVE_FAILED"; then
  39. echo "$TEST_COMMIT was not signed with a trusted key!"
  40. fi
  41. else
  42. echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
  43. fi
  44. exit $RES