Created
August 4, 2016 14:40
-
-
Save jonico/1d53c4e9fb6a3236c4ab713901b2c710 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| zero_commit="0000000000000000000000000000000000000000" | |
| # we have to change the home directory of GPG | |
| # as in the default environment, /root/.gnupg is not writeable | |
| export GNUPGHOME=/tmp/ | |
| # Do not traverse over commits that are already in the repository | |
| # (e.g. in a different branch) | |
| # This prevents funny errors if pre-receive hooks got enabled after some | |
| # commits got already in and then somebody tries to create a new branch | |
| # If this is unwanted behavior, just set the variable to empty | |
| excludeExisting="--not --all" | |
| while read oldrev newrev refname; do | |
| # echo "payload" | |
| echo $refname $oldrev $newrev | |
| # branch or tag get deleted | |
| if [ "$newrev" = "$zero_commit" ]; then | |
| continue | |
| fi | |
| # Check for new branch or tag | |
| if [ "$oldrev" = "$zero_commit" ]; then | |
| span=`git rev-list $newrev $excludeExisting` | |
| else | |
| span=`git rev-list $oldrev..$newrev $excludeExisting` | |
| fi | |
| for COMMIT in $span; | |
| do | |
| signed=$(git verify-commit $COMMIT 2>&1 | grep "gpg: Signature made") | |
| if test -n "$signed"; then | |
| echo Commit $COMMIT was signed by a GPG key: $signed | |
| else | |
| echo Commit $COMMIT was not signed by a GPG key, rejecting push | |
| exit 1 | |
| fi | |
| done | |
| done | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
excludeExistingreally helps me, thank you for sharing this wonderful things