hooks--post-receive.sample: If push cert is present, add it as a git note to the top most commit of the updated ref.
Signed-off-by: Shikher Verma <r...@shikherverma.com> --- templates/hooks--post-receive.sample | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100755 templates/hooks--post-receive.sample diff --git a/templates/hooks--post-receive.sample b/templates/hooks--post-receive.sample new file mode 100755 index 000000000..b4366e43f --- /dev/null +++ b/templates/hooks--post-receive.sample @@ -0,0 +1,38 @@ +#!/bin/sh +# +# An example hook script to store push certificates as notes. +# +# To enable this hook, rename this file to "post-receive". +# +# The stdin of the hook will be one line for each updated ref: +# <old-id> <new-id> <refname> +# +# For each updated ref this script will : +# 1. Verify that the ref update matches that in push certificate. +# 2. add the push cert as note (namespace pushcerts) to <new-id>. +# +# If this hook is enabled on the server then clients can prevent +# git metadata tampering, by using signed pushes and +# doing the following while fetching : +# 1. fetch the git notes (of namespace pushcerts) from server. +# $ git fetch origin refs/notes/pushcerts:refs/notes/pushcerts +# 2. Check that the fetched ref's top most commit has a note +# containing a push certificate. +# 3. Verify the validity of the push certificate in the note and +# check that the ref update matches that in push certificate. +# + +if test -z GIT_PUSH_CERT ; then + exit 0 +fi + +push_cert=$(git cat-file -p $GIT_PUSH_CERT) + +while read oval nval ref +do + # Verify that the ref update matches that in push certificate. + if [[ $push_cert == *$oval" "$nval" "$ref* ]]; then + # add the push cert as note (namespaced pushcerts) to nval. + git notes --ref=pushcerts add -m "$push_cert" $nval -f + fi +done -- 2.15.0
