diff options
-rwxr-xr-x | local/require-signed-push | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/local/require-signed-push b/local/require-signed-push index e1f5213..1c10609 100755 --- a/local/require-signed-push +++ b/local/require-signed-push @@ -146,12 +146,23 @@ case ${VERIFY_SIGS} in esac # Now validate +# see git-log(1) %G +# 2020/04/06: BGUXYREN case $GIT_PUSH_CERT_STATUS in # Good G) ;; + # signature itself has expired + X) fail_signed_push "FAIL: push certificate signature is expired" ;; + + # key is expired, but the good signature is otherwise good + Y) fail_signed_push "FAIL: key used for push certificate is expired" ;; + + # good signature made by an revoked key + R) fail_signed_push "FAIL: key used for push certiticate is revoked" ;; + # Bad - B) fail_signed_push "Bad signature" ;; + B) fail_signed_push "FAIL: signature on push certificate is bad" ;; # Untrusted good U) ;; # TODO: deny this later @@ -160,21 +171,21 @@ case $GIT_PUSH_CERT_STATUS in # No signature N) if [ -z "$GIT_PUSH_CERT" ]; then - fail_signed_push "No signature found" + fail_signed_push "FAIL: no push certifiate found" else - fail_signed_push "Push cert with no signature" # wtf? + fail_signed_push "FAIL: push certificate with no signature" # wtf? fi ;; # Can't verify -- usually means unknown key E) if [[ ${VERIFY_SIGS} != no ]]; then - fail_signed_push "Unknown OpenPGP key" + fail_signed_push "FAIL: Unknown OpenPGP key used for push certificate" fi ;; # Future-proof - *) fail_signed_push "Unknown GIT_PUSH_CERT_STATUS" ;; + *) fail_signed_push "FAIL: Unknown GIT_PUSH_CERT_STATUS" ;; esac |