Merge #9880: Verify Tree-SHA512s in merge commits, enforce sigs are not SHA1

bbd7579 Fix regsig checking for subkey sigs in verify-commits (Matt Corallo) d025bc7 Allow any subkey in verify-commits (Matt Corallo) eddc77a Add comment re: why SHA1 is disabled (Peter Todd) d9c450f Verify Tree-SHA512s in merge commits, enforce sigs are not SHA1 (Matt Corallo) be908a6 Fail merge if there are any symlinks (Matt Corallo) Tree-SHA512: bb66c59cc1c6b1c86d7d8be7adb0769c6598c0e28ad927409941f30af87d390521e82fc13700ee22e92db1bd571db3e19a152ec7b2c0349c6e06f5de62c0b65f
2025-10-10 19:43:13 +02:00 · 2017-03-06 17:19:15 +01:00
parent 8a3b07529d bbd757940b
commit 4df8213b98
5 changed files with 101 additions and 12 deletions
--- a/contrib/devtools/github-merge.py
+++ b/contrib/devtools/github-merge.py
@@ -70,6 +70,14 @@ def ask_prompt(text):
    print("",file=stderr)
    return reply

+def get_symlink_files():
+    files = sorted(subprocess.check_output([GIT, 'ls-tree', '--full-tree', '-r', 'HEAD']).splitlines())
+    ret = []
+    for f in files:
+        if (int(f.decode('utf-8').split(" ")[0], 8) & 0o170000) == 0o120000:
+            ret.append(f.decode('utf-8').split("\t")[1])
+    return ret
+
 def tree_sha512sum():
    files = sorted(subprocess.check_output([GIT, 'ls-tree', '--full-tree', '-r', '--name-only', 'HEAD']).splitlines())
    overall = hashlib.sha512()
@@ -200,6 +208,12 @@ def main():
            print("ERROR: Creating merge failed (already merged?).",file=stderr)
            exit(4)

+        symlink_files = get_symlink_files()
+        for f in symlink_files;
+            print("ERROR: File %s was a symlink" % f)
+        if len(symlink_files) > 0:
+            exit(4)
+
        # Put tree SHA512 into the message
        try:
            first_sha512 = tree_sha512sum()