I've a Github repository we share for our development. To ensure the integrity we decided to sign our commits and tags with GPG.
Now, how do I prevent developers from pushing unsigned commits to our repository in Github and also white-list GPG public keys to allow pushing commits singed with white-listed public keys
I checked out some pre-pushing hooks but didn't work out the way I described above and here it is.
remote="$1"
url="$2"
z40=0000000000000000000000000000000000000000
IFS=' '
while read local_ref local_sha remote_ref remote_sha
do
if [ "$local_sha" = $z40 ]
then
# Handle delete
else
if [ "$remote_sha" = $z40 ]
then
# New branch, examine all commits
range="$local_sha"
else
# Update to existing branch, examine new commits
range="$remote_sha..$local_sha"
fi
# Check for WIP commit
commit=`git rev-list -n 1 --grep '^WIP' "$range"`
if [ -n "$commit" ]
then
echo "Found WIP commit in $local_ref, not pushing"
exit 1
fi
fi
done
exit 0
How can I get this done? Any notion or examples would be highly appreciated.
It looks like you are on GitHub Enterprise and trying to create a pre-receive hook script that rejects any unsigned commits - correct? If so, here is an open source GPG script from GitHub. If you are on GitHub.com, please note they do not support pre-receive hooks and instead you would want to set up a protected branch with required status check to reject unsigned work.
As for setting up keys, have you checked out this article?