-
Notifications
You must be signed in to change notification settings - Fork 0
/
check-range-signed.sh
50 lines (40 loc) · 1.37 KB
/
check-range-signed.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Checks whether a range of commits is signed according to the requirements set
# forth in `keys`.
# Takes two arguments, checks range $1..$2. Both must be valid revisions
function check_range_signed() {
from="$1"
to="$2"
if [ "$from" = "$to" ]; then
return 0
fi
export GNUPGHOME="$(mktemp -d /tmp/check-range-signed.XXXXXXXX)"
rebuild_gpg_keyring_at "$GNUPGHOME" "$from"
git rev-list --first-parent "$from..$to" -- keys/keys | \
tac | \
while read commit; do
echo " Commit '$commit' changed the keys directory, checking it..."
if git verify-commit "$commit" > /dev/null 2>&1; then
echo " OK"
else
echo " Unable to verify commit '$commit' which changed the keys directory!" >&2
rm -Rf "$GNUPGHOME"
return 1
fi
rebuild_gpg_keyring_at "$GNUPGHOME" "$commit"
done || return 1
if ! git verify-commit "$to" > /dev/null 2>&1; then
echo " Unable to verify tip commit '$commit'!" >&2
rm -Rf "$GNUPGHOME"
return 1
fi
rm -Rf "$GNUPGHOME"
return 0
}
function rebuild_gpg_keyring_at() {
keyring="$1"
commit="$2"
rm -rf "$keyring/*"
git show "$commit:keys/keys" | tail -n +3 | \
xargs -I '{}' git show "$commit:keys/keys/{}" | \
gpg2 --homedir "$keyring" --import --quiet
}