Build Scripts: Require GPG-signed Commits

- Update build script - Add authorized keys
2025-07-27 01:36:13 +00:00 · 2015-06-25 19:53:57 -04:00 · 2015-06-25 19:53:57 -04:00 · 3b50ddbad2
commit 3b50ddbad2
parent 887b63d10e
2 changed files with 26 additions and 0 deletions
--- a/_build/auto-build-committers.gnupg/pubring.gpg
+++ b/_build/auto-build-committers.gnupg/pubring.gpg
--- a/_build/update_site.sh
+++ b/_build/update_site.sh
@ -7,6 +7,7 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin

 source /etc/profile.d/rvm.sh

+AUTHORIZED_SIGNERS_DIR=/bitcoin.org/auto-build-committers.gnupg
 REPO='https://github.com/bitcoin-dot-org/bitcoin.org.git'
 SITEDIR='/bitcoin.org/site'
 DESTDIR='build@bitcoinorgsite:/var/www/site'
@ -39,6 +40,31 @@ fi
 git reset --hard origin/master
 git clean -x -f -d

+## Whether to auto-build or force-build
+case "${1:-nil}" in
+  auto)
+    ## From git-log(1):
+    ## %G?: show "G" for a Good signature, "B" for a Bad signature, "U"
+    ## for a good, untrusted signature and "N" for no signature
+    if ! GNUPGHOME=$AUTHORIZED_SIGNERS_DIR git log --format='%G?' -1 | egrep -q '^(G|U)$'
+    then
+      echo "Commit tree tip not signed by an authorized signer.  Terminating build."
+      exit 1
+    fi
+  ;;
+
+  force)
+    true
+  ;;
+
+  *)
+    echo "$0 <auto|force>"
+    echo
+    echo "auto: only builds if the latest commit is GPG signed by an authorized key"
+    echo "force: builds latest commit no matter what"
+  ;;
+esac
+
 # Copy files to temporary directory
 rsync -rt --delete "$SITEDIR/" "$WORKDIR/"