Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to limit pushing operation to allow only commits that are signed with GPG in github

Tags:

I've a Github repository we share for our development. To ensure the integrity we decided to sign our commits and tags with GPG.

Now, how do I prevent developers from pushing unsigned commits to our repository in Github and also white-list GPG public keys to allow pushing commits singed with white-listed public keys

I checked out some pre-pushing hooks but didn't work out the way I described above and here it is.

remote="$1"
url="$2"

z40=0000000000000000000000000000000000000000

IFS=' '
while read local_ref local_sha remote_ref remote_sha
do
    if [ "$local_sha" = $z40 ]
    then
    # Handle delete
    else
    if [ "$remote_sha" = $z40 ]
    then
        # New branch, examine all commits
        range="$local_sha"
    else
        # Update to existing branch, examine new commits
        range="$remote_sha..$local_sha"
    fi

    # Check for WIP commit
    commit=`git rev-list -n 1 --grep '^WIP' "$range"`
    if [ -n "$commit" ]
    then
        echo "Found WIP commit in $local_ref, not pushing"
        exit 1
     fi
    fi
 done
exit 0

How can I get this done? Any notion or examples would be highly appreciated.

like image 304
Samuel Robert Avatar asked Feb 17 '17 07:02

Samuel Robert


People also ask

What is commit signature in GitHub?

GitHub will verify GPG, SSH, or S/MIME signatures so other people will know that your commits come from a trusted source. GitHub will automatically sign commits you make using the GitHub web interface. About commit signature verification.

Does GitHub have commit limits?

The contributors graphs are limited to the last 6000 commits of the selected branch.

What does verified commit mean?

It means that when you commit code, the commit is signed with a key, the GPG key. This key contains information about you, like your name and e-mail address. When you submit your public key in GitHub, GitHub can verify that the signed commit was created by your account.


1 Answers

It looks like you are on GitHub Enterprise and trying to create a pre-receive hook script that rejects any unsigned commits - correct? If so, here is an open source GPG script from GitHub. If you are on GitHub.com, please note they do not support pre-receive hooks and instead you would want to set up a protected branch with required status check to reject unsigned work.

As for setting up keys, have you checked out this article?

like image 174
CJ Johnson Avatar answered Sep 24 '22 13:09

CJ Johnson