Last active
March 31, 2023 10:24
-
-
Save mrcnski/2ada074731f0370e11a54c435e3cf150 to your computer and use it in GitHub Desktop.
Enforce Signing Policy for Repo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # | |
| # For a given repo, checks that: | |
| # - All commits are signed. | |
| # - All signatures belong to a set of approved keys. | |
| import subprocess | |
| LAST_GOOD_HASH = "b80220a" | |
| APPROVED_KEYS = { | |
| "9448C1A58DFEE11A" | |
| } | |
| gitCommand = f"git log {LAST_GOOD_HASH}..HEAD --pretty=%h|%aN|%s|%G?|%GK" | |
| process = subprocess.Popen(gitCommand.split(), text=True, | |
| stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| try: | |
| outs, errs = process.communicate(timeout=15) | |
| except TimeoutExpired: | |
| # Clean up the process in case of timeout | |
| process.kill() | |
| outs, errs = process.communicate() | |
| if len(errs) > 0: | |
| print("Error:", errs) | |
| exit(1) | |
| for line in outs.split('\n'): | |
| if len(line) == 0: | |
| continue | |
| commit, author, message, signed, signing_key = line.split('|') | |
| if signed != "G": | |
| print(f"Invalid signature or no signature: \ | |
| {commit} | {author} | {message}") | |
| continue | |
| if signing_key not in APPROVED_KEYS: | |
| print(f"Valid signature, key not approved: \ | |
| {commit} | {author} | {message} | {signing_key}") | |
| continue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment