Dev & users:
I would like your feedback.
I am working on a continuous integration (CI) system for CipherShed.org and we want to allow any fork to submit their patch to our CI server farm which will do integration testing. We want it to be easy to submit code, but to not allow interference with other submitters branches or fetching of other people's (any for bandwidth and simplicity) branches.
What would you change? Any bugs that you see?
-Jason (no cc please, I am on the list)
Here are the 2 configs.
$ cat config
[core]
repositoryformatversion = 0
filemode = true
bare = true
[http]
receivepack = true
uploadpack = false
getanyfile = false
$ cat hooks/update
#!/bin/bash
# (c) 2015 PD Inc. License found at http://www.apache.org/licenses/LICENSE-2.0 .
# --- Command line
refname="$1"
oldrev="$2"
newrev="$3"
# --- Safety check
if [ -z "$GIT_DIR" ]; then
echo "Don't run this script from the command line." >&2
echo " (if you want, you could supply GIT_DIR then run" >&2
echo " $0 <ref> <oldrev> <newrev>)" >&2
exit 1
fi
if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
echo "usage: $0 <ref> <oldrev> <newrev>" >&2
exit 1
fi
sigkey=$(\
git cat-file $newrev -p |\
sed -e '/^ /{H;$!d;}; x;/^gpgsig /!d; s/^gpgsig//;' |\
cut -c 2- |\
gpg --list-packets --textmode |\
sed '/keyid/!d; s/.*keyid \([0-9A-F]\{16\}\).*/\1/I' \
)
if [ -z "$sigkey" ]; then
echo no GPG signature on commit $newrev
exit 1
fi
if ! gpg -k "$sigkey" 2> /dev/null > /dev/null; then
# "$sigkey" not known
RES="$(gpg --keyserver hkp://pgp.mit.edu --recv-keys "$sigkey" 2>&1)"
if [ $? -ne 0 ]; then
echo "$RES"
exit 1
fi
fi
sigstatus=$(git log $newrev --pretty=format:%G? -n 1)
case "$sigstatus" in
G)
#ok, trusted
;;
U)
#ok, untrusted
;;
*)
#not ok
echo sigstatus: $sigstatus
git log $newrev --pretty=format:%GG -n 1
exit 1;
;;
esac
if [[ $refname != refs/heads/* ]]; then
echo only heads may be pushed, illegal ref: $refname
exit 1;
fi
head="${refname:11}"
shopt -s nocasematch
case "$head" in
${sigkey}-*)
#ok
;;
${sigkey}/*)
#ok
;;
${sigkey:(-8)}-*)
#ok
;;
${sigkey:(-8)}/*)
#ok
;;
*)
#not your branch
echo "you (a.k.a. $sigkey) are not authorized to push to branch: $head"
echo "try making a branch like: $sigkey-... or $sigkey/*"
echo "you can use a less secure ${sigkey:(-8)} too"
exit 1
;;
esac
exit 0
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html