Marco Falke's old key expired, causing a travis error while verifying
commits 36afd4db44 and before:
gpg: Good signature from "Marco Falke <marco.falke@tum.de>" [unknown]
gpg: aka "Marco Falke <falke.marco@gmail.com>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: B8B3 F1C0 E58C 15DB 6A81 D30C 3648 A882 F431 6B9B
Subkey fingerprint: FE09 B823 E6D8 3A3B C798 3EAA 2D7F 2372 E50F E137
Update the trusted root commit to the commit after that, to fix
this issue.
(cherry picked from commit 7deba93bdc76616011a9f493cbc203d60084416f)
Specifically, require that the left branch (first restult of git
show -s --format=format:%P) is a signed merge commit, instead of
allowing either. This is fine for now, but might need to be relaxed
in the future.
Also fixes an out-of-file-descriptors issue by holding too many
open FDs writing to /dev/null
Now that the trusted root is past all commits signed by that key we don't need
it in the trusted-keys list, nor do we need to whitelist those commits in
allow-revsig-commits
Any attacker who managed to make an evil commit that changed something in the
contrib/verify-commits/ directory could just as easily remove the warning
and/or modify it to not display the evil commits; telling the user to check
those commits specifically misleads them into checking just those commits
rather than the script itself.
Wladimir J. van der Laan