diff options
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/config.txt | 6 | ||||
-rw-r--r-- | Documentation/git-push.txt | 9 | ||||
-rw-r--r-- | Documentation/git-receive-pack.txt | 19 |
3 files changed, 32 insertions, 2 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt index c55c22ab7..0d01e3288 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -2038,6 +2038,12 @@ rebase.autostash:: successful rebase might result in non-trivial conflicts. Defaults to false. +receive.acceptpushcert:: + By default, `git receive-pack` will advertise that it + accepts `git push --signed`. Setting this variable to + false disables it (this is a tentative variable that + will go away at the end of this series). + receive.autogc:: By default, git-receive-pack will run "git-gc --auto" after receiving data from git-push and updating refs. You can stop diff --git a/Documentation/git-push.txt b/Documentation/git-push.txt index 21cd45550..21b3f29c3 100644 --- a/Documentation/git-push.txt +++ b/Documentation/git-push.txt @@ -10,7 +10,8 @@ SYNOPSIS -------- [verse] 'git push' [--all | --mirror | --tags] [--follow-tags] [-n | --dry-run] [--receive-pack=<git-receive-pack>] - [--repo=<repository>] [-f | --force] [--prune] [-v | --verbose] [-u | --set-upstream] + [--repo=<repository>] [-f | --force] [--prune] [-v | --verbose] + [-u | --set-upstream] [--signed] [--force-with-lease[=<refname>[:<expect>]]] [--no-verify] [<repository> [<refspec>...]] @@ -129,6 +130,12 @@ already exists on the remote side. from the remote but are pointing at commit-ish that are reachable from the refs being pushed. +--signed:: + GPG-sign the push request to update refs on the receiving + side, to allow it to be checked by the hooks and/or be + logged. See linkgit:git-receive-pack[1] for the details + on the receiving end. + --receive-pack=<git-receive-pack>:: --exec=<git-receive-pack>:: Path to the 'git-receive-pack' program on the remote diff --git a/Documentation/git-receive-pack.txt b/Documentation/git-receive-pack.txt index b1f7dc643..a2dd74376 100644 --- a/Documentation/git-receive-pack.txt +++ b/Documentation/git-receive-pack.txt @@ -53,6 +53,11 @@ the update. Refs to be created will have sha1-old equal to 0\{40}, while refs to be deleted will have sha1-new equal to 0\{40}, otherwise sha1-old and sha1-new should be valid objects in the repository. +When accepting a signed push (see linkgit:git-push[1]), the signed +push certificate is stored in a blob and an environment variable +`GIT_PUSH_CERT` can be consulted for its object name. See the +description of `post-receive` hook for an example. + This hook is called before any refname is updated and before any fast-forward checks are performed. @@ -101,9 +106,14 @@ the update. Refs that were created will have sha1-old equal to 0\{40}, otherwise sha1-old and sha1-new should be valid objects in the repository. +The `GIT_PUSH_CERT` environment variable can be inspected, just as +in `pre-receive` hook, after accepting a signed push. + Using this hook, it is easy to generate mails describing the updates to the repository. This example script sends one mail message per -ref listing the commits pushed to the repository: +ref listing the commits pushed to the repository, and logs the push +certificates of signed pushes to a logger +service: #!/bin/sh # mail out commit update information. @@ -119,6 +129,13 @@ ref listing the commits pushed to the repository: fi | mail -s "Changes to ref $ref" commit-list@mydomain done + # log signed push certificate, if any + if test -n "${GIT_PUSH_CERT-}" + then + ( + git cat-file blob ${GIT_PUSH_CERT} + ) | mail -s "push certificate" push-log@mydomain + fi exit 0 The exit code from this hook invocation is ignored, however a |