Merge pull request #6875

6e800c2 Add Pieter's new PGP key to verify-commits/trusted-keys (Matt Corallo)
1d94b72 Whitelist commits signed with Pieter's now-revoked key (Matt Corallo)
27252b7 Fix pre-push-hook regexes (Matt Corallo)
This commit is contained in:
Pieter Wuille 2015-10-28 02:19:42 +01:00
commit 93521a4f56
No known key found for this signature in database
GPG Key ID: DBA1A67379A1A931
5 changed files with 36 additions and 3 deletions

View File

@ -0,0 +1,2 @@
586a29253dabec3ca0f1ccba9091daabd16b8411
eddaba7b5692288087a926da5733e86b47274e4e

View File

@ -1,15 +1,33 @@
#!/bin/sh #!/bin/sh
INPUT=$(</dev/stdin) INPUT=$(</dev/stdin)
VALID=false VALID=false
REVSIG=false
IFS=$'\n' IFS=$'\n'
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
case "$LINE" in "[GNUPG:] VALIDSIG"*) case "$LINE" in
"[GNUPG:] VALIDSIG "*)
while read KEY; do while read KEY; do
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
done < ./contrib/verify-commits/trusted-keys done < ./contrib/verify-commits/trusted-keys
;;
"[GNUPG:] REVKEYSIG "*)
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
while read KEY; do
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*)
REVSIG=true
GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} "
;;
esac
done < ./contrib/verify-commits/trusted-keys
;;
esac esac
done done
if ! $VALID; then if ! $VALID; then
exit 1 exit 1
fi fi
if $VALID && $REVSIG; then
echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null
echo "$GOODREVSIG"
else
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
fi

View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then if ! [[ "$2" =~ ^(git@)?(www.)?github.com(:|/)bitcoin/bitcoin(.git)?$ ]]; then
exit 0 exit 0
fi fi

View File

@ -3,3 +3,4 @@
01CDF4627A3B88AAE4A571C87588242FBE38D3A8 01CDF4627A3B88AAE4A571C87588242FBE38D3A8
AF8BE07C7049F3A26B239D5325B3083201782B2F AF8BE07C7049F3A26B239D5325B3083201782B2F
81291FA67D2C379A006A053FEAB5AF94D9E9ABE7 81291FA67D2C379A006A053FEAB5AF94D9E9ABE7
133EAC179436F14A5CF1B794860FEB804E669320

View File

@ -7,11 +7,23 @@ git log "$DIR"
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root") VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
IS_REVSIG_ALLOWED () {
while read LINE; do
[ "$LINE" = "$1" ] && return 0
done < "${DIR}/allow-revsig-commits"
return 1
}
HAVE_FAILED=false HAVE_FAILED=false
IS_SIGNED () { IS_SIGNED () {
if [ $1 = $VERIFIED_ROOT ]; then if [ $1 = $VERIFIED_ROOT ]; then
return 0; return 0;
fi fi
if IS_REVSIG_ALLOWED "$1"; then
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
else
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
fi
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
return 1; return 1;
fi fi