Improve commit verification

master
meskio 8 months ago
parent 2d9912b32e
commit 23a84eb221
Signed by: meskio
GPG Key ID: 52B8F5AC97A2DA86
  1. 5
      build_image.run
  2. 1
      playbook.yml
  3. 73
      verify_commits

@ -7,10 +7,7 @@ fi
cd {{ laminar_home }}/repos/${image}
git pull
git log --format=%H | while read commit
do
git verify-commit $commit || exit 1
done
verify_commits || exit 1
docker build . -t ${image}
docker tag ${image} {{ registry_domain }}/${image}

@ -129,6 +129,7 @@
with_items:
- update_images
- check_updates
- verify_commits
- name: configure jobs
template:

@ -0,0 +1,73 @@
#!/bin/bash
###############################################################################
# Check that the signature of all commits for the last signed tag is valid,
# with some exceptions.
#
# There are two cases we allow unsigned commits:
# * a commit that is merged by a signed merge commit
# * a merge commit that merges all signed commits
#
# Know issues:
# * If a signed merge commit merges a list of commits that includes signed
# and not signed commits the script will fail to detect it as valid.
###############################################################################
# Inspired from: https://github.com/rmandvikar/dotfiles/blob/next/bin/git-find-merge
merge_commit() {
commit=$1
# 1st common commit from bottom of first-parent and ancestry-path
grep -f \
<(git rev-list --first-parent $commit..HEAD) \
<(git rev-list --ancestry-path $commit..HEAD) \
| tail -1
}
# For a merge commit we want to check if we have a line of commits with valid
# signatures up to the merge commit.
valid_commit() {
git rev-list --first-parent $1..$2 | while read commit
do
git verify-commit $commit
if [ $? -ne 0 ]
then
echo "Signature not valid: $commit"
exit 1
fi
done
}
TAG=""
for tag in `git tag --sort=-taggerdate`
do
if git verify-tag $tag
then
TAG=$tag
break
fi
done
RANGE="HEAD"
if [ ! -z "$TAG" ]
then
RANGE="$TAG..HEAD"
fi
LAST_VALID="$TAG"
git rev-list --reverse --no-merges $RANGE | while read commit
do
if git verify-commit $commit
then
LAST_VALID=$commit
else
if [ -z "$LAST_VALID" ]
then
echo "Signature not valid: $commit"
exit 1
fi
MERGE_COMMIT=`merge_commit $commit`
valid_commit $LAST_VALID $MERGE_COMMIT || exit 1
fi
done || exit 1
echo "All signatures are valid"
Loading…
Cancel
Save