infra/nonguix
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: infra:master
Branches Tags
infra:master
infra:extend-wrapper-plan
infra:beacondb-api-key
infra:add-rpath
infra:keyring
infra:make-authenticate
infra:steam-updates
infra:heroic
infra:core-updates
infra:mesa-next
infra:hack-hashes
infra:kernel-rewrite
infra:firefox-sandbox-for-vaapi
infra:discord
infra:rework-structure
infra:linux-updater
infra:add-skype
infra:wip-mono
infra:new-install-plan
infra:v1.4.0
...
pull from: infra:make-authenticate
Branches Tags
infra:master
infra:extend-wrapper-plan
infra:beacondb-api-key
infra:add-rpath
infra:keyring
infra:make-authenticate
infra:steam-updates
infra:heroic
infra:core-updates
infra:mesa-next
infra:hack-hashes
infra:kernel-rewrite
infra:firefox-sandbox-for-vaapi
infra:discord
infra:rework-structure
infra:linux-updater
infra:add-skype
infra:wip-mono
infra:new-install-plan
infra:v1.4.0

1 Commits
master ... make-authe

Author SHA1 Message Date
Jonathan Brielmaier
843e2d7d8d
Add git hook for checking commit signing. 
This is analogue to what upstream Guix does in order to prevent invalid
signed commits being pushed.

* Makefile: New file.
* etc/git/pre-push: New file.

Co-authored-by: Wolf <wolf@wolfsden.cz>
 2024-03-03 22:03:21 +01:00
2 changed files with 62 additions and 0 deletions
Show Stats Expand all files Collapse all files

14
Makefile Normal file
View File

@ -0,0 +1,14 @@
# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright © 2022 Giacomo Leidi <goodoldpaul@autistici.org>
# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
# Copyright © 2024 Wolf <wolf@wolfsden.cz>
# nonguix channel
channel_intro_commit = 897c1a470da759236cc11798f4e0a5f7d4d59fbc
channel_intro_signer = 2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5
authenticate:
echo "Authenticating Git checkout..." ; \
guix git authenticate \
--cache-key=channels/nonguix --stats \
"$(channel_intro_commit)" "$(channel_intro_signer)"

48
etc/git/pre-push Executable file
View File

@ -0,0 +1,48 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
# Copyright © 2024 Wolf <wolf@wolfsden.cz>
# This hook script prevents the user from pushing to GitLab if any of the new
# commits' OpenPGP signatures cannot be verified, or if a commit is signed
# with an unauthorized key.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
# This is the "empty hash" used by Git when pushing a branch deletion.
z40=0000000000000000000000000000000000000000
while read local_ref local_hash remote_ref remote_hash
do
# When deleting a remote branch, no commits are pushed to the remote, and
# thus there are no signatures to be verified.
if [ "$local_hash" != $z40 ]
then
# Only use the hook when pushing to the nonguix project on GitLab.
case "$2" in
*gitlab.com[:/]nonguix/*)
exec make authenticate
exit 127
;;
*)
exit 0
;;
esac
fi
done
exit 0