Project description

Clincher

PyPI PyPI - License

clincher is a tool for checking that all the commits in a git repo are signed, or if they're not that someone has signed something afterwards to backfill that.

It implicitly trusts all the keys that are in the git repository, and dealing with keys that shouldn't be there is currently out of scope.

Options

--rev-spec: to check only the revisions in a git rev spec (as per https://git-scm.com/docs/gitrevisions#_specifying_ranges). Default is to check everything.
--git-path: specify the root directory of the git repo (defaults to the current directory)
--key-path: specify the keys path (default is "keys")
--manual-signing-path: specify the manually signed commits path (default is "manually_signed")

Trusted keys

The key-path folder contains a list of the GPG keys for all trusted users, which will be automatically imported by the tool. To export a key in the format we expect run gpg --export --armor <key id> (taking the key id from gpg --list-keys) and write it to a file in key-path ending with ".gpg". We suggest using the users name and today's date to allow for identification and coping with expired keys.

Please note that even if a key is expired, if it's been used to sign historical commits prior to it's expiry it should be kept, as otherwise you have a commit we don't know how to verify.

Unsigned commits

If a commit isn't signed, a file will be generated in the manual-signing-path folder corresponding to that commit. This is a representation of the commit that can be signed as a way to backfill the missing signing without editing the git history, and will be treated the same as the commit itself. It is named <git hash> - <author>.

To sign the commit, use the following

gpg --sign --armor --detach-sign <commit file>

This file should be named <git hash> - <author>.asc

Uploading new versions to PyPi

We use Flit for uploading so the following works

FLIT_USERNAME="<pypi username>" FLIT_PASSWORD="<pypi password>" flit publish

Project details

These details have not been verified by PyPI

Project links

Homepage

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

1.0

Oct 22, 2018

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

clincher-1.0.tar.gz (23.9 kB view hashes)

Uploaded Oct 22, 2018 Source

Built Distribution

clincher-1.0-py3-none-any.whl (45.5 kB view hashes)

Uploaded Oct 22, 2018 Python 3

Hashes for clincher-1.0.tar.gz

Hashes for clincher-1.0.tar.gz
Algorithm	Hash digest
SHA256	`dbd30bd0fc8172a5efa7b594169866db0a71d538c4bcde622adc9147d680225c`
MD5	`dce0db2e02bf58b9637bdaa6a7a7ffb3`
BLAKE2b-256	`53a2f13dcc43b32036125911dee963f4f4f776896fcb56455f78f84e8028625f`

Hashes for clincher-1.0-py3-none-any.whl

Hashes for clincher-1.0-py3-none-any.whl
Algorithm	Hash digest
SHA256	`b49a856b30d201d38732c3e3639f3f905ef85ca42d4474a19ecd4df30338aa50`
MD5	`6bd94788565d8505ad894c99a6840ebf`
BLAKE2b-256	`d97c045d7e37d7114c106ed66ab61a75160dc5271f2f0258b9d87532c5ede5f8`