qusal/scripts/commit-verify.sh

#!/bin/sh

## SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
##
## SPDX-License-Identifier: AGPL-3.0-or-later

set -eu

key_dir="${KEY_DIR:-"salt/qubes-builder/files/client/qusal/keys"}"
key_suffix="${KEY_SUFFIX:-".asc"}"

usage(){
  printf '%s\n' "Usage: ${0##*/} [REV...]
Info:
  Default key directory (KEY_DIR): '${key_dir}'
  Default key suffix (KEY_SUFFIX): '${key_suffix}'
Example:
  ${0##*/}                           # HEAD
  ${0##*/} HEAD                      # HEAD
  ${0##*/} a                         # revision 'a'
  ${0##*/} \$(git rev-list HEAD~5..)  # 5 revs before and until HEAD
  ${0##*/} \$(git rev-list  a^..)     # from rev 'a' until HEAD
  ${0##*/} \$(git rev-list a^..b)     # from rev 'a' until revision 'b'
  ${0##*/} \$(git rev-list a..)       # from child of rev 'a' until HEAD
  ${0##*/} \$(git rev-list HEAD)      # all revs until HEAD
  KEY_DIR=/path KEY_SUFFIX=.gpg ${0##*/}  # custom key path and suffix"
}

case "${1-}" in
  -h|--?help) usage; exit 1;;
  *) ;;
esac

command -v git >/dev/null ||
  { printf '%s\n' "Missing program: git" >&2; exit 1; }
command -v gpg >/dev/null ||
  { printf '%s\n' "Missing program: gpg" >&2; exit 1; }
command -v gpgconf >/dev/null ||
  { printf '%s\n' "Missing program: gpgconf" >&2; exit 1; }
repo_toplevel="$(git rev-parse --show-toplevel)"
test -d "${repo_toplevel}" || exit 1
cd "${repo_toplevel}"
unset repo_toplevel

gpg_homedir="$(mktemp -d)"
trap 'rm -rf -- "${gpg_homedir}"' EXIT INT HUP QUIT ABRT
export GNUPGHOME="${gpg_homedir}"
otrust="${gpg_homedir}/otrust.txt"

gpg --import "${key_dir}"/*"${key_suffix}" >/dev/null 2>&1

gpg --with-colons --list-public-keys | awk -F ':' '{
  if (prev_line ~ /^pub$/ && $1 ~ /^fpr$/) {
      print $10 ":6:"
  }
  prev_line = $1
}' | tee -- "${otrust}" >/dev/null

gpg --import-ownertrust "${otrust}" >/dev/null 2>&1

fail="0"

for rev in "${@:-"HEAD"}"; do
  tag_success="0"
  rev="$(git rev-parse --verify "${rev}")"

  if git verify-commit -- "${rev}" >/dev/null 2>&1; then
    continue
  fi

  tag_list="$(git tag --points-at="${rev}")"
  if test -n "${tag_list}"; then
    for tag in ${tag_list}; do
      if git verify-tag -- "${tag}" >/dev/null 2>&1; then
        tag_success="1"
        continue
      fi
    done
  fi
  if test "${tag_success}" = "1"; then
    continue
  fi

  fail=1
  printf '%s\n' "error: no valid signature associated with rev: ${rev}" >&2
done

if test "${fail}" = "1"; then
  exit 1
fi
feat: verify commit signature before push Check commit signature and if it fails, check if any signed tags associated with commit exist from a keyring that can be found only locally. For: https://github.com/ben-grande/qusal/issues/105 2024-10-25 11:18:52 +02:00			`#!/bin/sh`

fix: remove workaround around split-gpg2 hang Fix: https://github.com/ben-grande/qusal/issues/110 2025-01-17 11:05:36 +01:00			`## SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>`
feat: verify commit signature before push Check commit signature and if it fails, check if any signed tags associated with commit exist from a keyring that can be found only locally. For: https://github.com/ben-grande/qusal/issues/105 2024-10-25 11:18:52 +02:00			`##`
			`## SPDX-License-Identifier: AGPL-3.0-or-later`

			`set -eu`

			`key_dir="${KEY_DIR:-"salt/qubes-builder/files/client/qusal/keys"}"`
			`key_suffix="${KEY_SUFFIX:-".asc"}"`

			`usage(){`
			`printf '%s\n' "Usage: ${0##*/} [REV...]`
			`Info:`
			`Default key directory (KEY_DIR): '${key_dir}'`
			`Default key suffix (KEY_SUFFIX): '${key_suffix}'`
			`Example:`
			`${0##*/} # HEAD`
			`${0##*/} HEAD # HEAD`
			`${0##*/} a # revision 'a'`
			`${0##*/} \$(git rev-list HEAD~5..) # 5 revs before and until HEAD`
			`${0##*/} \$(git rev-list a^..) # from rev 'a' until HEAD`
			`${0##*/} \$(git rev-list a^..b) # from rev 'a' until revision 'b'`
			`${0##*/} \$(git rev-list a..) # from child of rev 'a' until HEAD`
			`${0##*/} \$(git rev-list HEAD) # all revs until HEAD`
			`KEY_DIR=/path KEY_SUFFIX=.gpg ${0##*/} # custom key path and suffix"`
			`}`

			`case "${1-}" in`
			`-h\|--?help) usage; exit 1;;`
			`*) ;;`
			`esac`

			`command -v git >/dev/null \|\|`
			`{ printf '%s\n' "Missing program: git" >&2; exit 1; }`
			`command -v gpg >/dev/null \|\|`
			`{ printf '%s\n' "Missing program: gpg" >&2; exit 1; }`
			`command -v gpgconf >/dev/null \|\|`
			`{ printf '%s\n' "Missing program: gpgconf" >&2; exit 1; }`
			`repo_toplevel="$(git rev-parse --show-toplevel)"`
			`test -d "${repo_toplevel}" \|\| exit 1`
			`cd "${repo_toplevel}"`
			`unset repo_toplevel`

			`gpg_homedir="$(mktemp -d)"`
			`trap 'rm -rf -- "${gpg_homedir}"' EXIT INT HUP QUIT ABRT`
			`export GNUPGHOME="${gpg_homedir}"`
			`otrust="${gpg_homedir}/otrust.txt"`

fix: remove workaround around split-gpg2 hang Fix: https://github.com/ben-grande/qusal/issues/110 2025-01-17 11:05:36 +01:00			`gpg --import "${key_dir}"/*"${key_suffix}" >/dev/null 2>&1`
feat: verify commit signature before push Check commit signature and if it fails, check if any signed tags associated with commit exist from a keyring that can be found only locally. For: https://github.com/ben-grande/qusal/issues/105 2024-10-25 11:18:52 +02:00
fix: remove workaround around split-gpg2 hang Fix: https://github.com/ben-grande/qusal/issues/110 2025-01-17 11:05:36 +01:00			`gpg --with-colons --list-public-keys \| awk -F ':' '{`
feat: verify commit signature before push Check commit signature and if it fails, check if any signed tags associated with commit exist from a keyring that can be found only locally. For: https://github.com/ben-grande/qusal/issues/105 2024-10-25 11:18:52 +02:00			`if (prev_line ~ /^pub$/ && $1 ~ /^fpr$/) {`
			`print $10 ":6:"`
			`}`
			`prev_line = $1`
			`}' \| tee -- "${otrust}" >/dev/null`

fix: remove workaround around split-gpg2 hang Fix: https://github.com/ben-grande/qusal/issues/110 2025-01-17 11:05:36 +01:00			`gpg --import-ownertrust "${otrust}" >/dev/null 2>&1`
feat: verify commit signature before push Check commit signature and if it fails, check if any signed tags associated with commit exist from a keyring that can be found only locally. For: https://github.com/ben-grande/qusal/issues/105 2024-10-25 11:18:52 +02:00
			`fail="0"`

			`for rev in "${@:-"HEAD"}"; do`
			`tag_success="0"`
			`rev="$(git rev-parse --verify "${rev}")"`

			`if git verify-commit -- "${rev}" >/dev/null 2>&1; then`
			`continue`
			`fi`

			`tag_list="$(git tag --points-at="${rev}")"`
			`if test -n "${tag_list}"; then`
			`for tag in ${tag_list}; do`
			`if git verify-tag -- "${tag}" >/dev/null 2>&1; then`
			`tag_success="1"`
			`continue`
			`fi`
			`done`
			`fi`
			`if test "${tag_success}" = "1"; then`
			`continue`
			`fi`

			`fail=1`
			`printf '%s\n' "error: no valid signature associated with rev: ${rev}" >&2`
			`done`

			`if test "${fail}" = "1"; then`
			`exit 1`
			`fi`