I've a Github repository we share for our development. To ensure the integrity we decided to sign our commits and tags with GPG.
Now, how do I prevent developers from pushing unsigned commits to our repository in Github and also white-list GPG public keys to allow pushing commits singed with white-listed public keys
I checked out some pre-pushing hooks but didn't work out the way I described above and here it is.
remote="$1"
url="$2"
z40=0000000000000000000000000000000000000000
IFS=' '
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Check for WIP commit
commit=`git rev-list -n 1 --grep '^WIP' "$range"`
if [ -n "$commit" ]
then
echo "Found WIP commit in $local_ref, not pushing"
exit 1
fi
fi
done
exit 0
How can I get this done? Any notion or examples would be highly appreciated.
GitHub will verify GPG, SSH, or S/MIME signatures so other people will know that your commits come from a trusted source. GitHub will automatically sign commits you make using the GitHub web interface. About commit signature verification.
The contributors graphs are limited to the last 6000 commits of the selected branch.
It means that when you commit code, the commit is signed with a key, the GPG key. This key contains information about you, like your name and e-mail address. When you submit your public key in GitHub, GitHub can verify that the signed commit was created by your account.
It looks like you are on GitHub Enterprise and trying to create a pre-receive hook script that rejects any unsigned commits - correct? If so, here is an open source GPG script from GitHub. If you are on GitHub.com, please note they do not support pre-receive hooks and instead you would want to set up a protected branch with required status check to reject unsigned work.
As for setting up keys, have you checked out this article?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With