reorg
This commit is contained in:
parent
c9fed0fdaa
commit
8b6531ea43
|
@ -148,29 +148,14 @@ updateFirst' cmdline next = do
|
||||||
|
|
||||||
oldsha <- getCurrentGitSha1 branchref
|
oldsha <- getCurrentGitSha1 branchref
|
||||||
|
|
||||||
whenM (doesFileExist keyring) $ do
|
whenM (doesFileExist keyring) $
|
||||||
{- To verify origin branch commit's signature, have to
|
ifM (verifyOriginBranch originbranch)
|
||||||
- convince gpg to use our keyring. While running git log.
|
( do
|
||||||
- Which has no way to pass options to gpg.
|
|
||||||
- Argh! -}
|
|
||||||
let gpgconf = privDataDir </> "gpg.conf"
|
|
||||||
writeFile gpgconf $ unlines
|
|
||||||
[ " keyring " ++ keyring
|
|
||||||
, "no-auto-check-trustdb"
|
|
||||||
]
|
|
||||||
-- gpg is picky about perms
|
|
||||||
modifyFileMode privDataDir (removeModes otherGroupModes)
|
|
||||||
s <- readProcessEnv "git" ["log", "-n", "1", "--format=%G?", originbranch]
|
|
||||||
(Just [("GNUPGHOME", privDataDir)])
|
|
||||||
nukeFile $ privDataDir </> "trustdb.gpg"
|
|
||||||
nukeFile $ privDataDir </> "pubring.gpg"
|
|
||||||
nukeFile $ privDataDir </> "gpg.conf"
|
|
||||||
if s == "U\n" || s == "G\n"
|
|
||||||
then do
|
|
||||||
putStrLn $ "git branch " ++ originbranch ++ " gpg signature verified; merging"
|
putStrLn $ "git branch " ++ originbranch ++ " gpg signature verified; merging"
|
||||||
hFlush stdout
|
hFlush stdout
|
||||||
void $ boolSystem "git" [Param "merge", Param originbranch]
|
void $ boolSystem "git" [Param "merge", Param originbranch]
|
||||||
else warningMessage $ "git branch " ++ originbranch ++ " is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)"
|
, warningMessage $ "git branch " ++ originbranch ++ " is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)"
|
||||||
|
)
|
||||||
|
|
||||||
newsha <- getCurrentGitSha1 branchref
|
newsha <- getCurrentGitSha1 branchref
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,10 @@
|
||||||
module Propellor.Git where
|
module Propellor.Git where
|
||||||
|
|
||||||
import Propellor
|
import Propellor
|
||||||
|
import Propellor.PrivData.Paths
|
||||||
|
import Propellor.Gpg
|
||||||
import Utility.SafeCommand
|
import Utility.SafeCommand
|
||||||
|
import Utility.FileMode
|
||||||
|
|
||||||
getCurrentBranch :: IO String
|
getCurrentBranch :: IO String
|
||||||
getCurrentBranch = takeWhile (/= '\n')
|
getCurrentBranch = takeWhile (/= '\n')
|
||||||
|
@ -39,3 +42,23 @@ hasOrigin = do
|
||||||
rs <- lines <$> readProcess "git" ["remote"]
|
rs <- lines <$> readProcess "git" ["remote"]
|
||||||
return $ "origin" `elem` rs
|
return $ "origin" `elem` rs
|
||||||
|
|
||||||
|
{- To verify origin branch commit's signature, have to convince gpg
|
||||||
|
- to use our keyring.
|
||||||
|
- While running git log. Which has no way to pass options to gpg.
|
||||||
|
- Argh!
|
||||||
|
-}
|
||||||
|
verifyOriginBranch :: String -> IO Bool
|
||||||
|
verifyOriginBranch originbranch = do
|
||||||
|
let gpgconf = privDataDir </> "gpg.conf"
|
||||||
|
writeFile gpgconf $ unlines
|
||||||
|
[ " keyring " ++ keyring
|
||||||
|
, "no-auto-check-trustdb"
|
||||||
|
]
|
||||||
|
-- gpg is picky about perms
|
||||||
|
modifyFileMode privDataDir (removeModes otherGroupModes)
|
||||||
|
s <- readProcessEnv "git" ["log", "-n", "1", "--format=%G?", originbranch]
|
||||||
|
(Just [("GNUPGHOME", privDataDir)])
|
||||||
|
nukeFile $ privDataDir </> "trustdb.gpg"
|
||||||
|
nukeFile $ privDataDir </> "pubring.gpg"
|
||||||
|
nukeFile $ privDataDir </> "gpg.conf"
|
||||||
|
return (s == "U\n" || s == "G\n")
|
||||||
|
|
Loading…
Reference in New Issue