diff options
| author |   Michał Górny <mgorny@gentoo.org> | 2018-07-21 07:39:46 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2019-04-09 13:05:55 +0200 |
| commit | b0f8a2ded9e19df207f1b6465a2a144e27be0e1c (patch) | |
| tree | 1bf0dad789f8b83f6939b70c4f7c6a6072435734 | |
| parent | gpg hook: Make signature verification optional (diff) | |
| download | githooks-b0f8a2ded9e19df207f1b6465a2a144e27be0e1c.tar.gz githooks-b0f8a2ded9e19df207f1b6465a2a144e27be0e1c.tar.bz2 githooks-b0f8a2ded9e19df207f1b6465a2a144e27be0e1c.zip | |
gpg hook: Restrict push to keys of dev performing it
| -rwxr-xr-x | local/update-02-gpg | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/local/update-02-gpg b/local/update-02-gpg index cae648b..48e1719 100755 --- a/local/update-02-gpg +++ b/local/update-02-gpg @@ -23,6 +23,24 @@ VERIFY_SIGS=$(git config --get gentoo.verify-signatures) case ${VERIFY_SIGS} in gentoo-devs) + if [[ ${GL_USER} != *@gentoo.org ]]; then + echo "*** Pusher address is not @gentoo.org" >&2 + echo " (it is ${GL_USER})" >&2 + echo "*** Please report this to infra" >&2 + exit 1 + fi + + # find key fingerprints in LDAP + KEY_FPS=$(ldapsearch "uid=${GL_USER%@gentoo.org}" -D '' -Z -LLL \ + gpgfingerprint -o ldif-wrap=no | \ + sed -n -e '/^gpgfingerprint: /{s/^.*://;s/ //g;p}') + # create a dedicated GNUPGHOME + TMPHOME=$(mktemp -d) + trap 'rm -rf "${TMPHOME}"' EXIT + # transfer the keys + gpg -q --export ${KEY_FPS} | GNUPGHOME=${TMPHOME} gpg -q --import + # use new GNUGPHOME to restrict to dev's keys + export GNUPGHOME=${TMPHOME} ;; no) ;; |