-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathpre-receive-hook.js
73 lines (67 loc) · 2.36 KB
/
pre-receive-hook.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
(async () => {
console.log('Wish me luck!')
function abbr (oid) {
return oid.slice(0, 7)
}
// Verify objects (ideally we'd do this _before_ moving it into the repo... but I think we'd need a custom 'fs' implementation with overlays)
console.log('\nVerifying objects...\n')
let i = 0
for (const oid of oids) {
i++
console.log(`\rVerifying object ${i}/${oids.length}`)
const { type, object } = await git.readObject({ oid })
if (type === 'commit' || type === 'tag') {
const email = type === 'commit' ? object.author.email : object.tagger.email
console.log(`\nVerifying ${type} ${abbr(oid)} by ${email}: `)
let keys
try {
keys = await pgp.lookup(email)
} catch (e) {
console.fatal(`no keys found 👎\n`)
return
}
if (keys.length === 0) {
console.log(`no keys found 👎\n`)
console.fatal(`\nSignature verification failed for ${type} ${abbr(oid)}. No PGP keys could be found for ${email}.\n`)
return
}
let ok = false
for (const key of keys) {
let result
try {
result = await git.verify({ ref: oid, publicKeys: key })
} catch (e) {
if (e.code && e.code === git.E.NoSignatureError) {
console.log(`no signature 👎\n`)
console.fatal(e.message + `
This server's policy is to only accept GPG-signed commits.
Learn how you can create a GPG key and configure git to sign commits here:
https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
`)
return
} else {
console.fatal(e.message)
return
}
}
if (result === false) {
pgp.demote(email, key)
} else {
console.log(`signed with ${result[0]} 👍\n`)
ok = true
break
}
}
if (!ok) {
console.log(`no keys matched 👎\n`)
console.fatal(`\nSignature verification failed for ${type} ${abbr(oid)}. It was not signed with a key publicly associated with the email address "${email}".
Learn how you can associate your GPG key with your email account using GitHub here:
https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account
`)
return
}
}
}
console.log(`\nVerification complete`)
done()
})()