Created
April 8, 2019 00:33
-
-
Save robbat2/54a18a952a2f3dcb4bbd3fa9c9b1c9b3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- /var/lib/gitolite/local/hooks/repo-specific/require-signed-push.old 2019-04-07 23:40:45.055782255 +0000 | |
+++ /var/lib/gitolite/local/hooks/repo-specific/require-signed-push 2019-04-07 23:46:11.399007310 +0000 | |
@@ -1,7 +1,7 @@ | |
#!/bin/bash | |
VERIFY_SIGS=$(git config --get gentoo.verify-signatures) | |
-: ${VERIFY_SIGS:=gentoo-devs} | |
+: "${VERIFY_SIGS:=gentoo-devs}" | |
# ---------------------------------------------------------------------- | |
# standard stuff | |
@@ -12,7 +12,10 @@ | |
warn "$@" | |
warn "Your push was not signed with a known key." | |
warn "You MUST use git push --signed with a known key." | |
- warn "If you just updated your key, please wait 15 minutes for sync." | |
+ warn "Known keys are the subkeys of all primary keys in LDAP." | |
+ warn "If you add a new (primary) key to LDAP, please ask Infra to sync gitolite." | |
+ warn "If you modified your key and uploaded to keyservers, please wait 4 hours for sync (SKS pool is slow, keys.gentoo.org pool is faster)" | |
+ warn "If you haven't done either of these things, please see https://wiki.gentoo.org/wiki/Project:Gentoo-keys/Generating_GLEP_63_based_OpenPGP_keys#Next_steps" | |
warn "git-receive-pack variables:" | |
for var in \ | |
GIT_PUSH_CERT \ | |
@@ -28,7 +31,7 @@ | |
if [ -n "${GIT_PUSH_CERT}" ]; then | |
warn "A push-cert was found, and follows:" | |
warn "=====" | |
- git --no-pager show $GIT_PUSH_CERT | |
+ git --no-pager show "$GIT_PUSH_CERT" | |
warn "=====" | |
fi | |
exit 1 | |
@@ -51,7 +54,7 @@ | |
} | |
verify_committer_clock() { | |
- RAW_CERT="$(git show --format='pushtime %ct%nct %ct%nat %at%n%B' $GIT_PUSH_CERT)" | |
+ RAW_CERT="$(git show --format='pushtime %ct%nct %ct%nat %at%n%B' "$GIT_PUSH_CERT")" | |
# Example inputs | |
# Good clock (58 seconds delay on PIN entry to smartcard): | |
# ------- | |
@@ -87,12 +90,12 @@ | |
T0="$SERVER_NONCE_TIME" | |
T1="$PUSHER_SIGN_TIME" | |
T2="$SERVER_PUSH_TIME" | |
- DELTA_T1_T0=$(( $T1 - $T0 )) | |
- DELTA_T2_T0=$(( $T2 - $T0 )) | |
- DELTA_T2_T1=$(( $T2 - $T1 )) | |
- [[ $DELTA_T1_T0 -lt 0 ]] && DELTA_T1_T0=$(( $DELTA_T1_T0 * -1 )) | |
- [[ $DELTA_T2_T0 -lt 0 ]] && DELTA_T2_T0=$(( $DELTA_T2_T0 * -1 )) | |
- [[ $DELTA_T2_T1 -lt 0 ]] && DELTA_T2_T1=$(( $DELTA_T2_T1 * -1 )) | |
+ DELTA_T1_T0=$(( T1 - T0 )) | |
+ DELTA_T2_T0=$(( T2 - T0 )) | |
+ DELTA_T2_T1=$(( T2 - T1 )) | |
+ [[ $DELTA_T1_T0 -lt 0 ]] && DELTA_T1_T0=$(( DELTA_T1_T0 * -1 )) | |
+ [[ $DELTA_T2_T0 -lt 0 ]] && DELTA_T2_T0=$(( DELTA_T2_T0 * -1 )) | |
+ [[ $DELTA_T2_T1 -lt 0 ]] && DELTA_T2_T1=$(( DELTA_T2_T1 * -1 )) | |
CLOCK_DRIFT_LIMIT=5 | |
PUSH_LIMIT=60 | |
@@ -123,7 +126,7 @@ | |
gpgfingerprint -o ldif-wrap=no | \ | |
sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}') ) | |
# match signing key to the primary key | |
- PRIMARY_KEY=$(gpg --batch --with-colons --fingerprint ${GIT_PUSH_CERT_KEY} \ | |
+ PRIMARY_KEY=$(gpg --batch --with-colons --fingerprint "${GIT_PUSH_CERT_KEY}" \ | |
| sed -n -e '/^pub/{n;/^fpr/p}' | cut -d: -f10) | |
if [[ -z ${PRIMARY_KEY} ]]; then | |
fail_signed_push "Unable to identify primary key used for push" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment