emberian · October 22, 2016 02:32
diff --git a/verify-signatures.py b/verify-signatures.py
 #!/usr/bin/env python

 import pexpect
 import sys
 import os
 import itertools

 which = sys.argv[1]
 mailmap = sys.argv[2]

 # vague approximation of correct. solution: review changes to mailmap

 key_lines = [
        l.split(b' # ')[-1] 
        for l in open(mailmap) 
        if b' # ' in l]
 valid_keys = []
 for line in key_lines:
    valid_keys.extend(map(str.strip, line.split(' ')))

 commits = pexpect.run('git rev-list --full-history ' + which)

 # Eventually this should be split out into a library, with a way of verifying
 # only commits up to some particular landmark (probably 'most recent signed
 # tag')

 try:
    ignored_commits =  [l.strip() for l in open(os.path.join(pexpect.run('git rev-parse --show-toplevel').strip(),
        '.signing-exceptions')) if l and not l.startswith('#')]
 except Exception as e:
    ignored_commits = [] # fail safe, usual error is no .signing-exceptions

 for commit in commits.split():
    if commit not in ignored_commits:
        gpgdump = pexpect.run('git verify-commit --raw ' + commit)
        sigs = [l for l in gpgdump.split('\r\n') if 'VALIDSIG' in l]
        if not sigs:
            print("ERROR: no valid signature for commit {}".format(commit))
            sys.exit(1)
        elif len(sigs) > 1:
            print("More than one valid signature?")
        keyid = sigs[0].split(' ')[-1].strip()
        if keyid not in valid_keys:
            print("ERROR: commit {} signed with unrecognized key {}".format(commit, keyid))
            sys.exit(2)
        sys.stdout.write('.')
        sys.stdout.flush()

 print(" All good")
	#!/usr/bin/env python

	import pexpect
	import sys
	import os
	import itertools

	which = sys.argv[1]
	mailmap = sys.argv[2]

	# vague approximation of correct. solution: review changes to mailmap

	key_lines = [
	l.split(b' # ')[-1]
	for l in open(mailmap)
	if b' # ' in l]
	valid_keys = []
	for line in key_lines:
	valid_keys.extend(map(str.strip, line.split(' ')))

	commits = pexpect.run('git rev-list --full-history ' + which)

	# Eventually this should be split out into a library, with a way of verifying
	# only commits up to some particular landmark (probably 'most recent signed
	# tag')

	try:
	ignored_commits = [l.strip() for l in open(os.path.join(pexpect.run('git rev-parse --show-toplevel').strip(),
	'.signing-exceptions')) if l and not l.startswith('#')]
	except Exception as e:
	ignored_commits = [] # fail safe, usual error is no .signing-exceptions

	for commit in commits.split():
	if commit not in ignored_commits:
	gpgdump = pexpect.run('git verify-commit --raw ' + commit)
	sigs = [l for l in gpgdump.split('\r\n') if 'VALIDSIG' in l]
	if not sigs:
	print("ERROR: no valid signature for commit {}".format(commit))
	sys.exit(1)
	elif len(sigs) > 1:
	print("More than one valid signature?")
	keyid = sigs[0].split(' ')[-1].strip()
	if keyid not in valid_keys:
	print("ERROR: commit {} signed with unrecognized key {}".format(commit, keyid))
	sys.exit(2)
	sys.stdout.write('.')
	sys.stdout.flush()

	print(" All good")