From 3b5981d9cd580ea8ab74f4f950b1e3ebad08281f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Wed, 5 Feb 2025 00:10:36 +0100 Subject: [PATCH 1/2] script bugfixes - author casing - trailing newline to make git recognize keys correctly --- verify.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/verify.py b/verify.py index 8d7330c..ae8ce66 100755 --- a/verify.py +++ b/verify.py @@ -33,9 +33,10 @@ def last_commit_for(dir: Path, ref: git.Reference): def keylist_to_principals(keyfile_text: str, email: str) -> str: + # trailing newline, otherwise git may get confused and reject the key return "\n".join( f"{email} {public_key}" for public_key in keyfile_text.splitlines() - ) + ) + "\n" def get_forgejo_keys(username: str) -> str: @@ -53,7 +54,8 @@ def verify_dir(dir: Path, ref: git.Reference): raise Exception("Missing keyfile") commit = last_commit_for(dir, ref) log.debug(f"Found last commit: {commit.name_rev}") - if commit.author.name != username: + # ignore author casing + if commit.author.name.lower() != username.lower(): raise Exception( f"Commit author {commit.author.name} is not the owner of this directory." ) @@ -80,9 +82,10 @@ def verify_dir(dir: Path, ref: git.Reference): config.set_value("gpg.ssh", "allowedSignersFile", temp_keyfile.name) temp_keyfile_contents = keylist_to_principals(remote_keys, email) - log.debug(f"temp keyfile:\n{temp_keyfile_contents}") temp_keyfile.write(temp_keyfile_contents) temp_keyfile.flush() + + log.debug(f"temp keyfile:\n{Path(temp_keyfile.name).read_text()}") # Check whether one of the user keys signed this commit. # throws an exception automatically if verification fails, nothing else to do ref.repo.git.verify_commit("--raw", commit.hexsha) From d830965d7a81f75a28e7c5faef30ffcc4e6c55c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?kleines=20Filmr=C3=B6llchen?= Date: Wed, 5 Feb 2025 00:37:13 +0100 Subject: [PATCH 2/2] unfuck ref resolution too --- verify.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/verify.py b/verify.py index ae8ce66..a04a3ae 100755 --- a/verify.py +++ b/verify.py @@ -28,7 +28,7 @@ def collect_user_dirs(): def last_commit_for(dir: Path, ref: git.Reference): """Returns the Git commit signature for the last commit on this path.""" - last_commit_hash = str(ref.repo.git.rev_list("--max-count=1", action_ref, dir)) + last_commit_hash = str(ref.repo.git.rev_list("--max-count=1", ref, dir)) return ref.repo.commit(last_commit_hash) @@ -101,7 +101,18 @@ def verify_dir(dir: Path, ref: git.Reference): def current_ref(repo: git.Repo) -> git.Reference: - for ref in repo.references: + log.debug(f"{repo.references}") + # some of this logic stolen from https://code.forgejo.org/actions/checkout/src/branch/main/src/ref-helper.ts - the ref names github provides are beyond fucked + global action_ref + if (action_ref.startswith('refs/heads/')): + branch = action_ref.removeprefix('refs/heads/') + action_ref = branch + # refs/pull/ + elif (action_ref.startswith('refs/pull/')): + branch = action_ref.removeprefix('refs/pull/') + action_ref = f'refs/remotes/pull/{branch}' + + for ref in repo.refs: if ref.name == action_ref or ref.path == action_ref: return ref raise Exception(f"No ref named {action_ref} found")