Browse Source

Add script to verify all merge commits are signed

0.13
Matt Corallo 10 years ago
parent
commit
adaa568722
  1. 3
      contrib/README.md
  2. 15
      contrib/verify-commits/gpg.sh
  3. 16
      contrib/verify-commits/pre-push-hook.sh
  4. 1
      contrib/verify-commits/trusted-git-root
  5. 5
      contrib/verify-commits/trusted-keys
  6. 51
      contrib/verify-commits/verify-commits.sh

3
contrib/README.md

@ -16,6 +16,9 @@ Repository Tools
Specific tools for developers working on this repository. Specific tools for developers working on this repository.
Contains the script `github-merge.sh` for merging github pull requests securely and signing them using GPG. Contains the script `github-merge.sh` for merging github pull requests securely and signing them using GPG.
### [Verify-Commits](/contrib/verify-commits) ###
Tool to verify that every merge commit was signed by a developer using the above `github-merge.sh` script.
### [Linearize](/contrib/linearize) ### ### [Linearize](/contrib/linearize) ###
Construct a linear, no-fork, best version of the blockchain. Construct a linear, no-fork, best version of the blockchain.

15
contrib/verify-commits/gpg.sh

@ -0,0 +1,15 @@
#!/bin/sh
INPUT=$(</dev/stdin)
VALID=false
IFS=$'\n'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
case "$LINE" in "[GNUPG:] VALIDSIG"*)
while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
done < ./contrib/verify-commits/trusted-keys
esac
done
if ! $VALID; then
exit 1
fi
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null

16
contrib/verify-commits/pre-push-hook.sh

@ -0,0 +1,16 @@
#!/bin/bash
if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then
exit 0
fi
while read LINE; do
set -- A $LINE
if [ "$4" != "refs/heads/master" ]; then
continue
fi
if ! ./contrib/verify-commits/verify-commits.sh $3 > /dev/null 2>&1; then
echo "ERROR: A commit is not signed, can't push"
./contrib/verify-commits/verify-commits.sh
exit 1
fi
done < /dev/stdin

1
contrib/verify-commits/trusted-git-root

@ -0,0 +1 @@
053038e5ba116cb319fb85f3cb3e062cf1b3df15

5
contrib/verify-commits/trusted-keys

@ -0,0 +1,5 @@
71A3B16735405025D447E8F274810B012346C9A6
1F4410F6A89268CE3197A84C57896D2FF8F0B657
01CDF4627A3B88AAE4A571C87588242FBE38D3A8
AF8BE07C7049F3A26B239D5325B3083201782B2F
81291FA67D2C379A006A053FEAB5AF94D9E9ABE7

51
contrib/verify-commits/verify-commits.sh

@ -0,0 +1,51 @@
#!/bin/sh
DIR=$(dirname "$0")
echo "Please verify all commits in the following list are not evil:"
git log "$DIR"
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
HAVE_FAILED=false
IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then
return 0;
fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1;
fi
local PARENTS=$(git show -s --format=format:%P $1)
for PARENT in $PARENTS; do
if IS_SIGNED $PARENT > /dev/null; then
return 0;
fi
done
if ! "$HAVE_FAILED"; then
echo "No parent of $1 was signed with a trusted key!" > /dev/stderr
echo "Parents are:" > /dev/stderr
for PARENT in $PARENTS; do
git show -s $PARENT > /dev/stderr
done
HAVE_FAILED=true
fi
return 1;
}
if [ x"$1" = "x" ]; then
TEST_COMMIT="HEAD"
else
TEST_COMMIT="$1"
fi
IS_SIGNED "$TEST_COMMIT"
RES=$?
if [ "$RES" = 1 ]; then
if ! "$HAVE_FAILED"; then
echo "$TEST_COMMIT was not signed with a trusted key!"
fi
else
echo "There is a valid path from $TEST_COMMIT to $VERIFIED_ROOT where all commits are signed!"
fi
exit $RES
Loading…
Cancel
Save