589cd63 Allow any subkey in verify-commits (Matt Corallo)
Tree-SHA512: e3175273c648ed2d990ac931efae5e4bf3bd5ddce7b591f5e64a6831f3c029b252bc5d241dd8d3874467747c3ded87aa1fa334ff53d940cde32c22e584a2c4d0
Specifically, require that the left branch (first restult of git
show -s --format=format:%P) is a signed merge commit, instead of
allowing either. This is fine for now, but might need to be relaxed
in the future.
Also fixes an out-of-file-descriptors issue by holding too many
open FDs writing to /dev/null
Now that the trusted root is past all commits signed by that key we don't need
it in the trusted-keys list, nor do we need to whitelist those commits in
allow-revsig-commits
Any attacker who managed to make an evil commit that changed something in the
contrib/verify-commits/ directory could just as easily remove the warning
and/or modify it to not display the evil commits; telling the user to check
those commits specifically misleads them into checking just those commits
rather than the script itself.