blob: 731cd2f4ab48473100ba37490dbae7a0678596e6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
#!/bin/sh
# Before using this script, will want to unset all upstreams:
# for head in $(git for-each-ref --format='%(refname)' refs/heads/); do
# branch=$(echo "$head" | cut -d/ -f3)
# git branch --unset-upstream "$branch" 2>/dev/null || true
# done
# Could generalise to a script that reads a git config value for the
# fingerprint to look for, updates branches specified by user and is
# able to handle updating by both merge and rebase
# Could do that propellor does in verifyOriginBranch instead of this
# -- it might be more robust
set -e
. $HOME/.shenv
git fetch origin
if git verify-commit-by-fp \
8DC2487E51ABDD90B5C4753F0F56D0553B6D411B origin/master; then
# we only fast-forward master, to avoid the possibility of an
# attacker causing us to check out an older signed commit than the
# one we have now
if ! git merge-ff master origin/master; then
echo >&2 "uh oh, dotfiles remote head is not fast-forward of master"
echo >&2 "refusing to rebase; manually apply local commits to origin/master"
exit 1
fi
else
echo >&2 "uh oh, dotfiles remote head is not PGP-signed by Sean"
exit 1
fi
|