Skip to content

Commit 93521a4

Browse files
sipasipa
committed
Merge pull request #6875
6e800c2 Add Pieter's new PGP key to verify-commits/trusted-keys (Matt Corallo) 1d94b72 Whitelist commits signed with Pieter's now-revoked key (Matt Corallo) 27252b7 Fix pre-push-hook regexes (Matt Corallo)
2 parents d0badb9 + 6e800c2 commit 93521a4

File tree

5 files changed

+36
-3
lines changed

5 files changed

+36
-3
lines changed

contrib/verify-commits/allow-revsig-commits

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
586a29253dabec3ca0f1ccba9091daabd16b8411
2+
eddaba7b5692288087a926da5733e86b47274e4e

contrib/verify-commits/gpg.sh

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,33 @@
11
#!/bin/sh
22
INPUT=$(</dev/stdin)
33
VALID=false
4+
REVSIG=false
45
IFS=$'\n'
56
for LINE in $(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null); do
6-
case "$LINE" in "[GNUPG:] VALIDSIG"*)
7+
case "$LINE" in
8+
"[GNUPG:] VALIDSIG "*)
79
while read KEY; do
810
case "$LINE" in "[GNUPG:] VALIDSIG $KEY "*) VALID=true;; esac
911
done < ./contrib/verify-commits/trusted-keys
12+
;;
13+
"[GNUPG:] REVKEYSIG "*)
14+
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
15+
while read KEY; do
16+
case "$LINE" in "[GNUPG:] REVKEYSIG ${KEY:24:40} "*)
17+
REVSIG=true
18+
GOODREVSIG="[GNUPG:] GOODSIG ${KEY:24:40} "
19+
;;
20+
esac
21+
done < ./contrib/verify-commits/trusted-keys
22+
;;
1023
esac
1124
done
1225
if ! $VALID; then
1326
exit 1
1427
fi
15-
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
28+
if $VALID && $REVSIG; then
29+
echo "$INPUT" | gpg --trust-model always "$@" | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)" 2>/dev/null
30+
echo "$GOODREVSIG"
31+
else
32+
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
33+
fi

contrib/verify-commits/pre-push-hook.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
#!/bin/bash
2-
if ! [[ "$2" =~ [git@]?[www.]?github.com[:|/]bitcoin/bitcoin[.git]? ]]; then
2+
if ! [[ "$2" =~ ^(git@)?(www.)?github.com(:|/)bitcoin/bitcoin(.git)?$ ]]; then
33
exit 0
44
fi
55

contrib/verify-commits/trusted-keys

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@
33
01CDF4627A3B88AAE4A571C87588242FBE38D3A8
44
AF8BE07C7049F3A26B239D5325B3083201782B2F
55
81291FA67D2C379A006A053FEAB5AF94D9E9ABE7
6+
133EAC179436F14A5CF1B794860FEB804E669320

contrib/verify-commits/verify-commits.sh

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,23 @@ git log "$DIR"
77

88
VERIFIED_ROOT=$(cat "${DIR}/trusted-git-root")
99

10+
IS_REVSIG_ALLOWED () {
11+
while read LINE; do
12+
[ "$LINE" = "$1" ] && return 0
13+
done < "${DIR}/allow-revsig-commits"
14+
return 1
15+
}
16+
1017
HAVE_FAILED=false
1118
IS_SIGNED () {
1219
if [ $1 = $VERIFIED_ROOT ]; then
1320
return 0;
1421
fi
22+
if IS_REVSIG_ALLOWED "$1"; then
23+
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=1
24+
else
25+
export BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG=0
26+
fi
1527
if ! git -c "gpg.program=${DIR}/gpg.sh" verify-commit $1 > /dev/null 2>&1; then
1628
return 1;
1729
fi

0 commit comments

Comments
 (0)