Verify new commit signature on pull, before merging it

andsens · Mar 16, 2020 · 6df3cc2 · 6df3cc2
1 parent d662f5e
commit 6df3cc2
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/bin/homeshick b/bin/homeshick
@@ -17,6 +17,13 @@ source "$homeshick/lib/log.sh"
 # shellcheck source=lib/prompt.sh
 source "$homeshick/lib/prompt.sh"
 
+# extra setting for GPG signatures
+# shellcheck disable=SC2034
+trusted_keys_file="$HOME/.homesick/trusted_keys.asc"
+verify_tool="$homeshick/bin/verify-commit"
+# shellcheck disable=SC2034
+[ "$(uname -s)" = "Darwin" ] && verify_tool="$homeshick/bin/macos-verify-commit"
+
 # lots of global variables in here, so just disable SC2034 for the entire file
 # shellcheck disable=SC2034
 true

diff --git a/bin/macos-verify-commit b/bin/macos-verify-commit
diff --git a/bin/verify-commit b/bin/verify-commit
diff --git a/lib/commands/pull.sh b/lib/commands/pull.sh
@@ -14,7 +14,20 @@ function pull {
 	fi
 
 	local git_out
-	if ! git_out=$(cd "$repo" && git pull 2>&1);then
+
+	# just fetch first - no merging yet
+	if ! git_out=$(cd "$repo" && git fetch 2>&1);then
+         err "$EX_SOFTWARE" "Unable to fetch as a part of git pull on $repo. Git says:" "$git_out"
+    fi;
+
+	# verify signature
+	local vout
+	# shellcheck disable=SC2154
+	if ! vout=$($verify_tool sigcheck -k "$trusted_keys_file" -p "$repo" -r FETCH_HEAD 2>&1);then
+		err "$EX_SOFTWARE" "Verify signature on fetched data, stopping pull for $repo. Signature check says:" "$vout"
+	fi;
+
+	if ! git_out=$(cd "$repo" && git merge FETCH_HEAD 2>&1);then
          # try to reset bad merge, to get to a clean state:
          cd "$repo" && git reset --merge 1>/dev/null 2>&1
          # abort any rebase if pull has been overriden to do a rebase: