From 3e900acafaa2d40218d8b6167f1a80affd84c8c4 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Tue, 31 Jan 2017 14:59:32 -0500 Subject: [PATCH 1/2] Require merge commits merge branches on top of other merge commits Specifically, require that the left branch (first restult of git show -s --format=format:%P) is a signed merge commit, instead of allowing either. This is fine for now, but might need to be relaxed in the future. Also fixes an out-of-file-descriptors issue by holding too many open FDs writing to /dev/null --- contrib/verify-commits/verify-commits.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/verify-commits/verify-commits.sh b/contrib/verify-commits/verify-commits.sh index cfe4f11a0..b2cebdf1a 100755 --- a/contrib/verify-commits/verify-commits.sh +++ b/contrib/verify-commits/verify-commits.sh @@ -28,9 +28,10 @@ IS_SIGNED () { local PARENTS PARENTS=$(git show -s --format=format:%P $1) for PARENT in $PARENTS; do - if IS_SIGNED $PARENT > /dev/null; then + if IS_SIGNED $PARENT; then return 0; fi + break done if ! "$HAVE_FAILED"; then echo "No parent of $1 was signed with a trusted key!" > /dev/stderr From ba94426d531d45643e37567412c3f9d97f71ae5f Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Tue, 31 Jan 2017 15:32:23 -0500 Subject: [PATCH 2/2] Test that pushes to bitcoin/bitcoin are signed per verify-commits --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index 4087a854b..ccd249092 100644 --- a/.travis.yml +++ b/.travis.yml @@ -51,6 +51,9 @@ before_script: - if [ -n "$OSX_SDK" -a -f depends/sdk-sources/MacOSX${OSX_SDK}.sdk.tar.gz ]; then tar -C depends/SDKs -xf depends/sdk-sources/MacOSX${OSX_SDK}.sdk.tar.gz; fi - make $MAKEJOBS -C depends HOST=$HOST $DEP_OPTS script: + - if [ "$RUN_TESTS" = "true" -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then while read LINE; do travis_retry gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys $LINE; done < contrib/verify-commits/trusted-keys; fi + - if [ "$RUN_TESTS" = "true" -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then git fetch --unshallow; fi + - if [ "$RUN_TESTS" = "true" -a "$TRAVIS_REPO_SLUG" = "bitcoin/bitcoin" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then contrib/verify-commits/verify-commits.sh; fi - export TRAVIS_COMMIT_LOG=`git log --format=fuller -1` - if [ -n "$USE_SHELL" ]; then export CONFIG_SHELL="$USE_SHELL"; fi - OUTDIR=$BASE_OUTDIR/$TRAVIS_PULL_REQUEST/$TRAVIS_JOB_NUMBER-$HOST