guix/etc/git/pre-push
Ludovic Courtès 73b3f941d7
maint: Suggest ‘guix git authenticate’ for initial authentication.
The previous recommendation, running ‘make authenticate’, was insecure
because it led users to run code from the very repository they want to
authenticate:

  https://lists.gnu.org/archive/html/guix-devel/2024-04/msg00252.html

* Makefile.am (commit_v1_0_0, channel_intro_commit)
(channel_intro_signer, GUIX_GIT_KEYRING, authenticate): Remove.
* Makefile.am (.git/hooks/%): New target, generalization of previous
‘.git/hooks/pre-push’ target.
(nodist_noinst_DATA): Add ‘.git/hooks/post-merge’.
* doc/contributing.texi (Building from Git): Suggest ‘guix git
authenticate’ instead of ‘make authenticate’.
* etc/git/post-merge: New file.
* etc/git/pre-push: Run ‘guix git authenticate’ instead of ‘make
authenticate’.

Reviewed-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Reported-by: Skyler Ferris <skyvine@protonmail.com>
Change-Id: Ia415aa8375013d0dd095e891116f6ce841d93efd
2024-05-25 16:23:56 +02:00

47 lines
1.3 KiB
Bash
Executable file

#!/bin/sh
# This hook script prevents the user from pushing to Savannah if any of the new
# commits' OpenPGP signatures cannot be verified, or if a commit is signed
# with an unauthorized key.
# Called by "git push" after it has checked the remote status, but before
# anything has been pushed. If this script exits with a non-zero status nothing
# will be pushed.
#
# This hook is called with the following parameters:
#
# $1 -- Name of the remote to which the push is being done
# $2 -- URL to which the push is being done
#
# If pushing without using a named remote those arguments will be equal.
#
# Information about the commits which are being pushed is supplied as lines to
# the standard input in the form:
#
# <local ref> <local sha1> <remote ref> <remote sha1>
# This is the "empty hash" used by Git when pushing a branch deletion.
z40=0000000000000000000000000000000000000000
while read local_ref local_hash remote_ref remote_hash
do
# When deleting a remote branch, no commits are pushed to the remote, and
# thus there are no signatures to be verified.
if [ "$local_hash" != $z40 ]
then
# Only use the hook when pushing to Savannah.
case "$2" in
*.gnu.org*)
set -e
make check-channel-news
exec guix git authenticate
exit 127
;;
*)
exit 0
;;
esac
fi
done
exit 0