github.com/mutagen-io/mutagen@v0.18.0-rc1/scripts/ci/verify_commits.sh

github.com/mutagen-io/mutagen@v0.18.0-rc1/scripts/ci/verify_commits.sh (about)

     1  #!/bin/bash
     2  
     3  # Exit immediately on failure.
     4  set -e
     5  
     6  # Print status information.
     7  echo "Performing commit verification"
     8  echo
     9  
    10  # Track that we actually perform some sort of verification, because we don't
    11  # have an elegant way to verify that git rev-list succeeds when being used via
    12  # process substitution.
    13  PERFORMED_VERIFICATION="false"
    14  
    15  # Loop over the relevant commits.
    16  while read commit; do
    17      # Print status information.
    18      echo "> Verifying ${commit}"
    19  
    20      # Enforce commit message line length restrictions.
    21      MAXIMUM_LINE_LENGTH=$(git show --format="format:%B" --no-patch "${commit}" | wc -L)
    22      if [[ "${MAXIMUM_LINE_LENGTH}" -le "72" ]]; then
    23          echo "Commit message line length acceptable"
    24      else
    25          echo "Commit message line length too long!" 1>&2
    26          exit 1
    27      fi
    28  
    29      # Verify that the expected sign-off is present.
    30      EXPECTED_SIGNOFF="$(git show "${commit}" --format="format:Signed-off-by: %an <%ae>" --no-patch)"
    31      if git show --format="format:%B" --no-patch "${commit}" | grep -q "${EXPECTED_SIGNOFF}"; then
    32          echo "Found valid sign-off"
    33      else
    34          echo "Missing sign-off!" 1>&2
    35          exit 1
    36      fi
    37  
    38      # Verify that a cryptographic signature is present. Ideally we'd want to use
    39      # git-show for this, but its signature formatting simply refuses to print
    40      # any SSH signature information correctly (it doesn't even print %G?
    41      # correctly) unless the gpg.ssh.allowedSignersFile setting is set to a file
    42      # (even an empty one). I assume this is a bug that will be fixed in later
    43      # verisons of Git, but for now we'll just grab the raw commit headers and
    44      # check that a gpgsig header is present. We use the sed command to halt
    45      # git cat-file output at the first empty line, which signals the end of
    46      # headers, to avoid false positives from commit message text. Unfortunately
    47      # git-show also lacks the ability to print arbitrary raw header fields.
    48      #
    49      # TODO: It may be worth trying to corresponding GPG and/or SSH keys from
    50      # GitHub to verify that they match the commit author, but that's going to be
    51      # tricky and probably fragile. It would allow us to avoid this hack and
    52      # provide stronger validation, but for the time being we can likely rely on
    53      # GitHub account security and commit verification to provide validation.
    54      if [[ ! -z "$(git cat-file commit "${commit}" | sed "/^$/q" | grep "gpgsig ")" ]]; then
    55          echo "Found cryptographic signature"
    56      else
    57          echo "Missing or invalid cryptographic signature!" 1>&2
    58          exit 1
    59      fi
    60  
    61      # Record that some verification was performed.
    62      PERFORMED_VERIFICATION="true"
    63  
    64      # Output a separator line.
    65      echo
    66  done < <(git rev-list --no-merges "${VERIFY_COMMIT_START}..${VERIFY_COMMIT_END}")
    67  
    68  # Enforce that at least one commit was verified.
    69  if [[ "${PERFORMED_VERIFICATION}" == "false" ]]; then
    70      echo "No verification performed!" 1>&2
    71      exit 1
    72  fi
    73  
    74  # Print status information.
    75  echo "Commit verification succeeded!"