-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpost-commit
More file actions
93 lines (77 loc) · 2.75 KB
/
post-commit
File metadata and controls
93 lines (77 loc) · 2.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env bash
# Copyright (C) 2025 Tech. TTGames
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --- Git Alibi ---
# This is a post-hook script that will automatically request a Trusted Timestamp for your commit
# and save it under the git notes alibi.
# --- Variables ---
# TSA:
# Sample TimeStamp Authority. Can be replaced with any RFC3161 TSA.
TSA="https://freetsa.org/tsr"
TSA_CERT="cacert.pem"
# Local Files:
TSQ_FILE=".git/commit_request.tsq"
TSR_FILE=".git/commit_response.tsr"
# --- Get Commit Hash (needed for git notes later) ---
if ! COMMIT_HASH=$(git rev-parse HEAD)
then
echo "Error: Failed to get commit hash." >&2
exit 1
fi
# --- Hash the Git Commit Hash string ---
HASH=$(echo -n "$COMMIT_HASH" | openssl dgst -sha256 -hex | sed 's/^.* //')
if [ -z "$HASH" ]; then
echo "Error: Failed to calculate hash of commit hash." >&2
exit 1
fi
# --- Generate the TimeStamp Request file ---
if ! openssl ts -query -digest "$HASH" -sha256 -cert -out "$TSQ_FILE"
then
echo "Error: openssl ts -query failed." >&2
rm -f "$TSQ_FILE"
exit 1
fi
# --- File the Request with the TSA ---
curl -s -S -f \
-H "Content-Type: application/timestamp-query" \
--data-binary "@$TSQ_FILE" \
-o "$TSR_FILE" \
"$TSA"
CURL_EXIT_CODE=$?
if [ $CURL_EXIT_CODE -ne 0 ]
then
echo "Error: curl command failed with exit code $CURL_EXIT_CODE." >&2
echo "Check TSA URL ($TSA), network connectivity, and permissions." >&2
rm -f "$TSQ_FILE" "$TSR_FILE"
exit 1
fi
# --- Verify the TSA Response ---
openssl ts -verify -in "$TSR_FILE" -queryfile "$TSQ_FILE" -CAfile "$TSA_CERT"
VERIFY_EXIT_CODE=$?
if [ $VERIFY_EXIT_CODE -ne 0 ]
then
echo "Error: TSA token verification failed! (Exit code $VERIFY_EXIT_CODE)" >&2
echo "Token may be invalid, from wrong TSA, or doesn't match request." >&2
rm -f "$TSQ_FILE" "$TSR_FILE"
exit 1
fi
# --- Store verified token in Git Notes ---
git notes --ref=alibi add -f --no-stripspace -F "$TSR_FILE" "$COMMIT_HASH"
NOTES_EXIT_CODE=$?
if [ $NOTES_EXIT_CODE -ne 0 ]; then
echo "Error: Failed to add git note. (Exit code $NOTES_EXIT_CODE)" >&2
rm -f "$TSQ_FILE" "$TSR_FILE"
exit 1
fi
# --- Clean up & Exit ---
rm -f "$TSQ_FILE" "$TSR_FILE"
exit 0