signed_tip script

To check the tip of the current git branch is signed.

signed_tip script
b9800397 · Michal 'vorner' Vaner · 2f88722d · b9800397 · b9800397
Verified Commit b9800397 authored 9 years ago by Michal 'vorner' Vaner
--- a/gitsig/README
+++ b/gitsig/README
@@ -11,6 +11,16 @@ directory to be $HOME/git-gpg. It may be possible (and better from security
 point of view) if some of the files weren't writable by the current user, to
 ensure malicious attacker can't add another key into the keyring.

+Also, to make tampering by the current user slightly harder, it may be
+desirable to make the scripts unwritable by the user as well. But it is
+questionable if this adds any level of security, or if the attacker could
+disable the check completely when already in the position to tamper with local
+files.
+
+It is important to check the gpg -k *every time* the git-gpg directory is
+updated (so an attacker couldn't sneak a key into the git repository and wait
+for it to be installed by accident).
+
 Unsigned detector
 -----------------

@@ -18,3 +28,10 @@ The `unsigned_detect.pl` tool is meant to be run periodically (for example
 after each push). It goes through the repository it is run in and reports any
 new commits from listed email addresses that are not signed by a trusted key.
 If any such commits are found, it signals this by terminating with exit code 1.
+
+Signed tip
+----------
+
+This script simply terminates successfully if the tip of the current branch is
+signed by a trusted key and fails if it is not. It is expected to be run before
+any code from any repository is used.
--- a/gitsig/signed_tip
+++ b/gitsig/signed_tip
+#!/bin/sh
+
+# Copyright (c) 2015, CZ.NIC, z.s.p.o. (http://www.nic.cz/)
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above copyright
+#      notice, this list of conditions and the following disclaimer in the
+#      documentation and/or other materials provided with the distribution.
+#    * Neither the name of the CZ.NIC nor the
+#      names of its contributors may be used to endorse or promote products
+#      derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL CZ.NIC BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+export GNUPGHOME=$HOME/git-gpg
+git log -n1 --pretty="%G?" | grep -qF 'G'