diff options
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/control | 4 | ||||
| -rw-r--r-- | src/Propellor/Git/VerifiedBranch.hs | 9 |
3 files changed, 8 insertions, 7 deletions
diff --git a/debian/changelog b/debian/changelog index bf4df720..c4707e71 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ propellor (5.4.1) UNRELEASED; urgency=medium * Modernized and simplified the MetaTypes implementation now that compatability with ghc 7 is no longer needed. + * Use git verify-commit to verify gpg signatures, rather than the old + method of parsing git log output. Needs git 2.0. -- Joey Hess <id@joeyh.name> Fri, 18 May 2018 10:25:05 -0400 diff --git a/debian/control b/debian/control index 5a041c90..0a8701a0 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: admin Priority: optional Build-Depends: debhelper (>= 9), - git, + git (>= 2.0), ghc (>= 7.6), cabal-install, libghc-async-dev, @@ -43,7 +43,7 @@ Depends: ${misc:Depends}, ${shlibs:Depends}, libghc-stm-dev, libghc-text-dev, libghc-hashable-dev, - git, + git (>= 2.0), Description: property-based host configuration management in haskell Propellor ensures that the system it's run in satisfies a list of properties, taking action as necessary when a property is not yet met. diff --git a/src/Propellor/Git/VerifiedBranch.hs b/src/Propellor/Git/VerifiedBranch.hs index df607bd2..e56379f4 100644 --- a/src/Propellor/Git/VerifiedBranch.hs +++ b/src/Propellor/Git/VerifiedBranch.hs @@ -6,9 +6,8 @@ import Propellor.PrivData.Paths import Utility.FileMode {- To verify origin branch commit's signature, have to convince gpg - - to use our keyring. - - While running git log. Which has no way to pass options to gpg. - - Argh! + - to use our keyring while running git verify-tag. + - Which has no way to pass options to gpg. Argh! -} verifyOriginBranch :: String -> IO Bool verifyOriginBranch originbranch = do @@ -20,12 +19,12 @@ verifyOriginBranch originbranch = do ] -- gpg is picky about perms modifyFileMode privDataDir (removeModes otherGroupModes) - s <- readProcessEnv "git" ["log", "-n", "1", "--format=%G?", originbranch] + verified <- boolSystemEnv "git" ["verify-commit", originbranch] (Just [("GNUPGHOME", privDataDir)]) nukeFile $ privDataDir </> "trustdb.gpg" nukeFile $ privDataDir </> "pubring.gpg" nukeFile $ privDataDir </> "gpg.conf" - return (s == "U\n" || s == "G\n") + return verified -- Returns True if HEAD is changed by fetching and merging from origin. fetchOrigin :: IO Bool |