Tools: improve verify-commits.py script #14809

pull jlopp wants to merge 1 commits into bitcoin:master from jlopp:verifyCommitsDocumentation changing 2 files +14 −5
  1. jlopp commented at 3:26 PM on November 26, 2018: contributor

    I ran into 3 different issues while trying to run the verify-commits script for the first time and I think documenting them would help save time for future developers.

    1. I was trying to just run it with "python" and didn't realize I had multiple python versions installed and this script is only syntactically valid for python 3.x.
    2. I needed to import the trusted keys
    3. The script was hanging because it was triggering my yubikey for signature verification
  2. in contrib/verify-commits/README.md:39 in a75edb9905 outdated 
      32 | @@ -33,6 +33,17 @@ Configuration files
  33 |  * `trusted-keys`: This file should contain a \n-delimited list of all PGP fingerprints of authorized commit signers (primary, not subkeys).
  34 |  * `allow-revsig-commits`: This file should contain a \n-delimited list of git commit hashes. See next section for more info.
  35 |  
  36 | +Import trusted keys
  37 | +-------------------
  38 | +In order to check the commit signatures you must add the trusted PGP keys to your machine. This can be done in Linux by running
  39 | +    while read -r LINE; do gpg --recv-keys $LINE; done < contrib/verify-commits/trusted-keys
    practicalswift commented at 9:16 PM on November 26, 2018:

    Should be a code block? :-)

    jnewbery commented at 9:28 PM on November 26, 2018:

    This is a markdown file. I suggest you surround this line with backticks to show that it's a command to type, ie:

    In order to check the commit signatures you must add the trusted PGP keys to your machine. This can be done in Linux by running:

    while read -r LINE; do gpg --recv-keys $LINE; done < contrib/verify-commits/trusted-keys

    This also assumes that the current working directory is the repo's root directoy. I'd assume it to be the verify-commits directory (ie the command would be while read -r LINE; do gpg --recv-keys $LINE; done < trusted-keys)

    Sjors commented at 3:51 PM on November 27, 2018:

    Bonus points: add sh as hint for syntax highlighting

    ```sh
while read...

    @jnewbery:

    assume it to be the verify-commits directory

    Agreed, but then the main command should probably also assume that. I wonder if that causes problems if it reaches old commits where this directory doesn't exist?

    dongcarl commented at 3:23 AM on December 3, 2018:

    Here's a simpler alternative that accomplishes the same thing:

    gpg --recv-keys $(<contrib/verify-commits/trusted-keys)
    jlopp commented at 4:07 PM on December 6, 2018:

    I changed it to a code block (and the other indented command is now also a code block) I also switched it to use the simplified command suggested by @dongcarl

    jlopp commented at 4:09 PM on December 6, 2018:

    Changed to use backticks with the shell suggestion.

    I'm ambivalent about the root directory assumption; the reason I went with this assumption was due to the command that already exists in the readme that makes this same assumption.

    jnewbery commented at 6:13 PM on December 6, 2018:

    I'm ambivalent about the root directory assumption

    Yep, I'm not really too fussed either way.

    jlopp commented at 6:34 PM on December 6, 2018:

    Nice, I switched to this command.

  3. in contrib/verify-commits/README.md:44 in a75edb9905 outdated 
      39 | +    while read -r LINE; do gpg --recv-keys $LINE; done < contrib/verify-commits/trusted-keys
  40 | +
  41 | +Note for smartcard users
  42 | +----------------------
  43 | +If you use a smartcard such as a YubiKey for GPG signing that requires a
  44 | +physical button press, you will need to set gpgSign = false in your git config,
    practicalswift commented at 9:17 PM on November 26, 2018:

    "gpgSign = false" better formatted as gpgSign = false? :-)

    jlopp commented at 4:08 PM on December 6, 2018:

    Yes, though I've completed removed this section now because @Sjors's suggested change to the git merge command in the python script now dynamically disables gpg signing

  4. practicalswift changes_requested
  5. jnewbery commented at 9:38 PM on November 26, 2018: member

    ACK a75edb990516eba298e1652050dbfd28a3dd0a30. One minor style nit inline.

  6. fanquake added the label Scripts and tools on Nov 26, 2018
  7. in contrib/verify-commits/README.md:6 in a75edb9905 outdated 
       2 | @@ -3,7 +3,7 @@ Tooling for verification of PGP signed commits
   3 |  
   4 |  This is an incomplete work in progress, but currently includes a pre-push hook
   5 |  script (`pre-push-hook.sh`) for maintainers to ensure that their own commits
   6 | -are PGP signed (nearly always merge commits), as well as a script to verify
   7 | +are PGP signed (nearly always merge commits), as well as a python 3 script to verify
    Sjors commented at 3:46 PM on November 27, 2018:

    Nit: upper case Python. I'm a bit surprised #!/usr/bin/env python3 at the top of that script wouldn't complain when it's run with Python 2.

    jlopp commented at 6:33 PM on December 6, 2018:

    I updated the capitalization. Played around with the python version support but found out that it's crashing immediately upon interpreting the script, so it's not even getting to attempting execution. Thus I don't think there's any way to improve the current state of the script without trying to rewrite all of the logging calls that cause the interpreter to blow up.

  8. Sjors commented at 3:56 PM on November 27, 2018: member

    Concept ACK. See above style improvements, as it's difficult to read now.

    I never tried this script before. Was able to run it based on your updated instructions (I wish it had a progress indicator though).

    A more thorough fix for (3) is to add --no-gpg-sign in verify-commits.py (see docs, untested).

    Further suggestions:

    • make it clear that "Configuration files" are already present in contrib/verify-commits
    • the linux import keys commands works fine on macOS too
  9. jlopp renamed this:
    Improve documentation for running verify-commits.py script
    Tools: improve verify-commits.py script
    on Dec 6, 2018
  10. jlopp force-pushed on Dec 6, 2018
  11. jlopp force-pushed on Dec 6, 2018
  12. Improve documentation for running verify-commits.py script 45842c3d26
  13. jlopp force-pushed on Dec 6, 2018
  14. jnewbery commented at 6:13 PM on December 6, 2018: member

    utACK 45842c3d26098ad6d12f5cb96bbcf9bcde650950

  15. MarcoFalke commented at 6:16 PM on December 6, 2018: member

    utACK 45842c3

  16. MarcoFalke added this to the milestone 0.18.0 on Dec 6, 2018
  17. jlopp commented at 6:38 PM on December 6, 2018: contributor

    I tested @Sjors's "--no-gpg-sign" suggestion and it resolved my smartcard issue with running the verification script. I also tested @dongcarl's simplified key import command.

  18. Sjors commented at 7:30 PM on December 6, 2018: member

    tACK 45842c3

  19. practicalswift commented at 9:39 PM on December 6, 2018: contributor

    utACK 45842c3d26098ad6d12f5cb96bbcf9bcde650950

  21. meshcollider merged this on Dec 10, 2018
  22. meshcollider closed this on Dec 10, 2018
  23. meshcollider referenced this in commit e946fc7eb1 on Dec 10, 2018
  24. jlopp deleted the branch on Dec 12, 2018
  25. TheArbitrator referenced this in commit a158b0527d on Jun 23, 2021
  26. linuxsh2 referenced this in commit f4aef478dd on Jul 29, 2021
  27. linuxsh2 referenced this in commit 9213a82723 on Jul 30, 2021
  28. linuxsh2 referenced this in commit 64b0e1ee2d on Aug 3, 2021
  29. MarcoFalke locked this on Sep 8, 2021
Contributors
jlopppracticalswiftjnewberySjorsdongcarlMarcoFalkemeshcollider
Labels
Scripts and tools

Milestone
0.18.0

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-01 18:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me