1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <dave@dtrt.org>) id 1WnDZV-00053V-9X
for bitcoin-development@lists.sourceforge.net;
Wed, 21 May 2014 20:57:09 +0000
X-ACL-Warn:
Received: from mail.dtrt.org ([207.192.75.234])
by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76) id 1WnDZT-00059l-I7
for bitcoin-development@lists.sourceforge.net;
Wed, 21 May 2014 20:57:09 +0000
Received: from harding by mail.dtrt.org with local (Exim 4.72)
(envelope-from <dave@dtrt.org>)
id 1WnD2x-00012W-Qz; Wed, 21 May 2014 16:23:31 -0400
Date: Wed, 21 May 2014 16:25:02 -0400
From: "David A. Harding" <dave@dtrt.org>
To: Chris Beams <chris@beams.io>
Message-ID: <20140521202502.GA439@localhost.localdomain>
References: <CA+s+GJBNWh0Py9KB4Y+B19ACeHOygtkLrPw5SbZ0SrVs50pqvg@mail.gmail.com>
<7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7B48B9D4-5FB0-42CA-A462-C20D3F345A9A@beams.io>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Score: -0.7 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
X-Headers-End: 1WnDZT-00059l-I7
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] PSA: Please sign your git commits
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Wed, 21 May 2014 20:57:09 -0000
On Wed, May 21, 2014 at 06:39:44PM +0200, Chris Beams wrote:
> I [was] searching for a way to enable signing by default [...]
> Unfortunately, there isn't one, meaning it's likely that most folks
> will forget to do this most of the time.
For all of my projects, I now I put this script in
.git/hooks/post-commit and post-merge:
#!/bin/bash -eu
if ! git log -n1 --show-signature | grep -q 'gpg: Good signature'
then
yes "FORGOT TO SIGN COMMIT MESSAGE"
exit 1
fi
So anytime I forget to sign, I get an obvious error and can immediately
run git commit --amend -S.
To automatically add a script like the one above to all new projects (plus
quickly add it old current projects), you can follow these instructions:
http://stackoverflow.com/questions/2293498/git-commit-hooks-global-settings
> If you're really serious about it, you should probably reject pull
> requests without signed commits; otherwise, signing becomes
> meaningless because only honest authors do it
I find signing my commits quite useful even on projects without a
default signing policy because it lets me diff from the last time I
provably reviewed the code. Here's my script for that:
#!/bin/bash -eu
KEY=F29EC4B7
last_signed_commit=$( git log --topo-order --show-signature --pretty=oneline \
| grep -m1 " gpg: Signature made.*RSA key ID $KEY" \
| sed 's/ .*//' \
| grep .
) || { echo "No signed commit found. Dying..." ; exit 1 ; }
set -x
git diff $last_signed_commit
By diffing against the last signed commit I made, I also review any
commits that were made using my name but which I didn't actually make,
such as squashes and rebases of my commits (and, of course, forgeries).
For anyone who's bored and wants to read a lot of text, I think the
definitive work on git signing is this:
http://mikegerwitz.com/papers/git-horror-story.html
-Dave
--
David A. Harding
|
