robbat2/require-signed-push.diff

## require-signed-push.diff
--- /var/lib/gitolite/local/hooks/repo-specific/require-signed-push.old	2019-04-07 23:40:45.055782255 +0000
+++ /var/lib/gitolite/local/hooks/repo-specific/require-signed-push	2019-04-07 23:46:11.399007310 +0000
@@ -1,7 +1,7 @@
 #!/bin/bash

 VERIFY_SIGS=$(git config --get gentoo.verify-signatures)
-: ${VERIFY_SIGS:=gentoo-devs}
+: "${VERIFY_SIGS:=gentoo-devs}"

 # ----------------------------------------------------------------------
 # standard stuff
@@ -12,7 +12,10 @@
 	warn "$@"
 	warn "Your push was not signed with a known key."
 	warn "You MUST use git push --signed with a known key."
-	warn "If you just updated your key, please wait 15 minutes for sync."
+	warn "Known keys are the subkeys of all primary keys in LDAP."
+	warn "If you add a new (primary) key to LDAP, please ask Infra to sync gitolite."
+	warn "If you modified your key and uploaded to keyservers, please wait 4 hours for sync (SKS pool is slow, keys.gentoo.org pool is faster)"
+	warn "If you haven't done either of these things, please see https://wiki.gentoo.org/wiki/Project:Gentoo-keys/Generating_GLEP_63_based_OpenPGP_keys#Next_steps"
 	warn "git-receive-pack variables:"
 	for var in \
 		GIT_PUSH_CERT \
@@ -28,7 +31,7 @@
 	if [ -n "${GIT_PUSH_CERT}" ]; then
 		warn "A push-cert was found, and follows:"
 		warn "====="
-		git --no-pager show $GIT_PUSH_CERT
+		git --no-pager show "$GIT_PUSH_CERT"
 		warn "====="
 	fi
 	exit 1
@@ -51,7 +54,7 @@
 }

 verify_committer_clock() {
-	RAW_CERT="$(git show --format='pushtime %ct%nct %ct%nat %at%n%B' $GIT_PUSH_CERT)"
+	RAW_CERT="$(git show --format='pushtime %ct%nct %ct%nat %at%n%B' "$GIT_PUSH_CERT")"
 	# Example inputs
 	# Good clock (58 seconds delay on PIN entry to smartcard):
 	# -------
@@ -87,12 +90,12 @@
 	T0="$SERVER_NONCE_TIME"
 	T1="$PUSHER_SIGN_TIME"
 	T2="$SERVER_PUSH_TIME"
-	DELTA_T1_T0=$(( $T1 - $T0 ))
-	DELTA_T2_T0=$(( $T2 - $T0 ))
-	DELTA_T2_T1=$(( $T2 - $T1 ))
-	[[ $DELTA_T1_T0 -lt 0 ]] && DELTA_T1_T0=$(( $DELTA_T1_T0 * -1 ))
-	[[ $DELTA_T2_T0 -lt 0 ]] && DELTA_T2_T0=$(( $DELTA_T2_T0 * -1 ))
-	[[ $DELTA_T2_T1 -lt 0 ]] && DELTA_T2_T1=$(( $DELTA_T2_T1 * -1 ))
+	DELTA_T1_T0=$(( T1 - T0 ))
+	DELTA_T2_T0=$(( T2 - T0 ))
+	DELTA_T2_T1=$(( T2 - T1 ))
+	[[ $DELTA_T1_T0 -lt 0 ]] && DELTA_T1_T0=$(( DELTA_T1_T0 * -1 ))
+	[[ $DELTA_T2_T0 -lt 0 ]] && DELTA_T2_T0=$(( DELTA_T2_T0 * -1 ))
+	[[ $DELTA_T2_T1 -lt 0 ]] && DELTA_T2_T1=$(( DELTA_T2_T1 * -1 ))

 	CLOCK_DRIFT_LIMIT=5
 	PUSH_LIMIT=60
@@ -123,7 +126,7 @@
 			gpgfingerprint -o ldif-wrap=no | \
 			sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}') )
 		# match signing key to the primary key
-		PRIMARY_KEY=$(gpg --batch --with-colons --fingerprint ${GIT_PUSH_CERT_KEY} \
+		PRIMARY_KEY=$(gpg --batch --with-colons --fingerprint "${GIT_PUSH_CERT_KEY}" \
 			| sed -n -e '/^pub/{n;/^fpr/p}' | cut -d: -f10)
 		if [[ -z ${PRIMARY_KEY} ]]; then
 			fail_signed_push "Unable to identify primary key used for push"
	--- /var/lib/gitolite/local/hooks/repo-specific/require-signed-push.old 2019-04-07 23:40:45.055782255 +0000
	+++ /var/lib/gitolite/local/hooks/repo-specific/require-signed-push 2019-04-07 23:46:11.399007310 +0000
	@@ -1,7 +1,7 @@
	#!/bin/bash

	VERIFY_SIGS=$(git config --get gentoo.verify-signatures)
	-: ${VERIFY_SIGS:=gentoo-devs}
	+: "${VERIFY_SIGS:=gentoo-devs}"

	# ----------------------------------------------------------------------
	# standard stuff
	@@ -12,7 +12,10 @@
	warn "$@"
	warn "Your push was not signed with a known key."
	warn "You MUST use git push --signed with a known key."
	- warn "If you just updated your key, please wait 15 minutes for sync."
	+ warn "Known keys are the subkeys of all primary keys in LDAP."
	+ warn "If you add a new (primary) key to LDAP, please ask Infra to sync gitolite."
	+ warn "If you modified your key and uploaded to keyservers, please wait 4 hours for sync (SKS pool is slow, keys.gentoo.org pool is faster)"
	+ warn "If you haven't done either of these things, please see https://wiki.gentoo.org/wiki/Project:Gentoo-keys/Generating_GLEP_63_based_OpenPGP_keys#Next_steps"
	warn "git-receive-pack variables:"
	for var in \
	GIT_PUSH_CERT \
	@@ -28,7 +31,7 @@
	if [ -n "${GIT_PUSH_CERT}" ]; then
	warn "A push-cert was found, and follows:"
	warn "====="
	- git --no-pager show $GIT_PUSH_CERT
	+ git --no-pager show "$GIT_PUSH_CERT"
	warn "====="
	fi
	exit 1
	@@ -51,7 +54,7 @@
	}

	verify_committer_clock() {
	- RAW_CERT="$(git show --format='pushtime %ct%nct %ct%nat %at%n%B' $GIT_PUSH_CERT)"
	+ RAW_CERT="$(git show --format='pushtime %ct%nct %ct%nat %at%n%B' "$GIT_PUSH_CERT")"
	# Example inputs
	# Good clock (58 seconds delay on PIN entry to smartcard):
	# -------
	@@ -87,12 +90,12 @@
	T0="$SERVER_NONCE_TIME"
	T1="$PUSHER_SIGN_TIME"
	T2="$SERVER_PUSH_TIME"
	- DELTA_T1_T0=$(( $T1 - $T0 ))
	- DELTA_T2_T0=$(( $T2 - $T0 ))
	- DELTA_T2_T1=$(( $T2 - $T1 ))
	- [[ $DELTA_T1_T0 -lt 0 ]] && DELTA_T1_T0=$(( $DELTA_T1_T0 * -1 ))
	- [[ $DELTA_T2_T0 -lt 0 ]] && DELTA_T2_T0=$(( $DELTA_T2_T0 * -1 ))
	- [[ $DELTA_T2_T1 -lt 0 ]] && DELTA_T2_T1=$(( $DELTA_T2_T1 * -1 ))
	+ DELTA_T1_T0=$(( T1 - T0 ))
	+ DELTA_T2_T0=$(( T2 - T0 ))
	+ DELTA_T2_T1=$(( T2 - T1 ))
	+ [[ $DELTA_T1_T0 -lt 0 ]] && DELTA_T1_T0=$(( DELTA_T1_T0 * -1 ))
	+ [[ $DELTA_T2_T0 -lt 0 ]] && DELTA_T2_T0=$(( DELTA_T2_T0 * -1 ))
	+ [[ $DELTA_T2_T1 -lt 0 ]] && DELTA_T2_T1=$(( DELTA_T2_T1 * -1 ))

	CLOCK_DRIFT_LIMIT=5
	PUSH_LIMIT=60
	@@ -123,7 +126,7 @@
	gpgfingerprint -o ldif-wrap=no \| \
	sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}') )
	# match signing key to the primary key
	- PRIMARY_KEY=$(gpg --batch --with-colons --fingerprint ${GIT_PUSH_CERT_KEY} \
	+ PRIMARY_KEY=$(gpg --batch --with-colons --fingerprint "${GIT_PUSH_CERT_KEY}" \
	\| sed -n -e '/^pub/{n;/^fpr/p}' \| cut -d: -f10)
	if [[ -z ${PRIMARY_KEY} ]]; then
	fail_signed_push "Unable to identify primary key used for push"