setup empty allowed signers to check ssh signature status

terrastruct · Oct 12, 2023 · c838bcc · c838bcc
1 parent 782b3f6
commit c838bcc
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 .changed-files
+.emptyAllowedSigners
diff --git a/lib/git.sh b/lib/git.sh
@@ -177,7 +177,8 @@ ensure_signed() {
     return
   fi
 
-  # look for signature status N: no signature
+  setup_allowed_signers
+  # look for signature status N: no signature (verification done by github)
   if [ ! "$(git log --format="%G?" ${GIT_BASE:+"$GIT_BASE..HEAD"} | grep "N")" ]; then
     return
   fi
@@ -186,6 +187,17 @@ ensure_signed() {
   return 1
 }
 
+setup_allowed_signers() {
+  # we only care if a signature is present (github will verify) so we don't need any entries,
+  # but "gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification"
+  if git config --get gpg.ssh.allowedSignersFile >/dev/null; then
+    return
+  fi
+  allowed_signers=".emptyAllowedSigners"
+  touch $allowed_signers
+  git config --local gpg.ssh.allowedSignersFile "$allowed_signers"
+}
+
 git_commit_count() {
   # macOS sh is buggy and requires the subshell here.
   (git rev-list HEAD --count 2>/dev/null) || echo 0