On Fri, Jan 20, 2017 at 03:05:42PM +0100, Ludovic Courtès wrote: > For the pre-push hook, the overhead seems reasonable (perhaps we could > limit the range to commits after the first signed commit to avoid > looping for no reason?) and an improvement.
Here is a patch for the hook that I've been using for the past couple weeks. For the common use case of pushing new commits to an existing branch, I don't notice the hook at all, except when it catches my mistakes.
From 7d8206949f98a121bb2d50e0eecfcba1d9cce27a Mon Sep 17 00:00:00 2001
From: Leo Famulari <l...@famulari.name>
Date: Mon, 23 Jan 2017 00:57:46 -0500
Subject: [PATCH] etc: The pre-push hook says which commits failed the
signature check.
* etc/git/pre-push: Check each commit's signature individually so that
we can report which commits fail the check.
---
etc/git/pre-push | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/etc/git/pre-push b/etc/git/pre-push
index c894c5a9e..9206a2dfe 100755
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@@ -40,17 +40,29 @@ do
else
if [ "$remote_sha" = $z40 ]
then
- # New branch, examine all commits
- range="$local_sha"
+ # We are pushing a new branch. To prevent wasting too
+ # much time for this relatively rare case, we examine
+ # all commits since the first signed commit, rather than
+ # the full history. This check *will* fail, and the user
+ # will need to temporarily disable the hook to push the
+ # new branch.
+
range="e3d0fcbf7e55e8cbe8d0a1c5a24d73f341d7243b..$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Verify the signatures of all commits being pushed.
- git verify-commit $(git rev-list $range) >/dev/null 2>&1
-
- exit $?
+ ret=0
+ for commit in $(git rev-list $range)
+ do
+ if ! git verify-commit $commit >/dev/null 2>&1
+ then
+ printf "%s failed signature check\n" $commit
+ ret=1
+ fi
+ done
+ exit $ret
fi
done
--
2.11.0
signature.asc
Description: PGP signature
