blob: abdeeff8b8b0d0a8cbed181011c254d1511c236a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
#!/bin/sh
# Could generalise to a script that reads a git config value for the
# fingerprint to look for, updates branches specified by user and is
# able to handle updating by both merge and rebase
# Could do that propellor does in verifyOriginBranch instead of this
# -- it might be more robust
set -e
# To update a shallow clone we would do 'git fetch --depth 1' and then 'git
# reset --hard origin/master'. But that would leave us vulnerable to an
# attacker causing us to check out an older signed commit than the one we have
# now. So require an explicit 'git fetch --unshallow' from the user, or get
# Consfigurator to update repo from a snapshot from laptop, or something.
if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
echo >&2 "shallow dotfiles clone; refusing to reset to origin/master"
exit 1
fi
git fetch origin
if git verify-commit-spw origin/master; then
# we only fast-forward master, to avoid the possibility of an
# attacker causing us to check out an older signed commit than the
# one we have now
if ! git merge-ff master origin/master; then
echo >&2 "dotfiles remote head signed by Sean, but not fast-forward of master"
echo >&2 "will not auto-rebase; manually rebase/reset master on/to origin/master"
exit 1
fi
else
echo >&2 "uh oh, dotfiles remote head is not PGP-signed by Sean"
exit 1
fi
# Migrate old normalise-mrconfig setup
perl -000 -i'' -wn \
-e'/DO NOT EDIT THIS BLOCK; automatically updated/ or print' ~/.mrconfig
line="include = cat ~/src/dotfiles/lib-src/mr/config"
grep -Fxq "$line" ~/.mrconfig \
|| printf "%s\n\n" \
"# -*- mode: conf -*-" "$line" "$(sed -e1,2d ~/.mrconfig)" \
>~/.mrconfig
|