diff options
author | Sean Whitton <spwhitton@spwhitton.name> | 2018-05-11 10:54:12 -0700 |
---|---|---|
committer | Sean Whitton <spwhitton@spwhitton.name> | 2018-05-11 10:54:12 -0700 |
commit | 1bf3372ae4881f31d33ed573537ec8e8f302037f (patch) | |
tree | 8ec54545df6aec1d0dd6da17dc29faa06be65833 /bin/insinuate-dotfiles | |
parent | 4d55f45933cc88117c672550786d9cbdbc64e9e3 (diff) | |
download | dotfiles-1bf3372ae4881f31d33ed573537ec8e8f302037f.tar.gz |
rewrite insinuate-dotfiles to check for a PGP signature
Diffstat (limited to 'bin/insinuate-dotfiles')
-rwxr-xr-x | bin/insinuate-dotfiles | 35 |
1 files changed, 12 insertions, 23 deletions
diff --git a/bin/insinuate-dotfiles b/bin/insinuate-dotfiles index 5f783a48..fcdd5288 100755 --- a/bin/insinuate-dotfiles +++ b/bin/insinuate-dotfiles @@ -12,27 +12,16 @@ . $HOME/.shenv . $HOME/lib/tputfs.sh -status "trying to clone dotfiles to $1 using https" -ssh "$1" 'cd $HOME && git clone --depth 1 https://git.spwhitton.name/dotfiles src/dotfiles' - -# https:// can fail for older ca-certificates, so try git:// -if ! [ $? = 0 ]; then - status "trying to clone dotfiles to $1 using git transport" - ssh "$1" 'cd $HOME && git clone --depth 1 git://spwhitton.name/dotfiles' src/dotfiles - if ! [ $? = 0 ]; then - status "couldn't clone dotfiles on $1" - exit 1 - fi - - # since we used an insecure transport, verify - hash=$(ssh "$1" 'cd $HOME/src/dotfiles && git show-ref -s master | head -n1') - if ! ( cd "$HOME/src/dotfiles" && git branch --contains "$hash" | grep master); then - status "couldn't find remote HEAD in local master branch" - status "nuking corrupted clone on $1" - ssh "$1" 'rm -rf $HOME/src/dotfiles' - exit 1 - fi +status "trying to clone dotfiles to $1 using git daemon protocol" +ssh "$1" 'wget -O- https://spwhitton.name/spwhitton.asc | gpg --import' +ssh "$1" 'cd $HOME && git clone --depth 1 git://spwhitton.name/dotfiles src/dotfiles' +ssh "$1" 'cd $HOME/src/dotfiles && git verify-commit --raw master 2>&1 | grep "VALIDSIG .* 8DC2487E51ABDD90B5C4753F0F56D0553B6D411B"' +if [ $? = 0 ]; then + status "clone ok; running bootstrap script" + ssh "$1" 'cd $HOME && sh src/dotfiles/bin/bstraph.sh' +else + status "couldn't verify PGP signature on dotfiles commit" + status "nuking corrupted clone on $1" + ssh "$1" 'rm -rf $HOME/src/dotfiles' + exit 1 fi - -status "clone ok; running bootstrap script" -ssh "$1" 'cd $HOME && sh src/dotfiles/bin/bstraph.sh' |