Follow-up Comment #4, sr #109104 (project administration): Unfortunately, this hook can be easily defeated. Here's some example output from the current tip of master: $ git cat-file -p HEAD tree c65e675351fe76b2630df24eddcb2449774eb344 parent e87c7ec2de815f05d7a84e2792e2da700bb26a38 author Leo Famulari 1470169005 -0400 committer Leo Famulari 1470538536 -0400 gpgsig -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJXpqMoAAoJECZG+jC6yn8Ihn8P+wfUhS5HOL7181KC8ZRdTFC5 5XjavRq/08LJzO2mxer1r5oVcWYuZAvnPKZltO1vdIp0ncvU40c4nmaNpQiB/w6B 8slSkqBsoCVE7GEKHoAWju7Rwwlqw4fUSgDWw5JpJ/3S2PhRj+tvy8o/wCeBEwTL c90yivRmpKZcdcRgSPHqhHhMJ7lIJxbvHKlb30SPz9vdQTj13EUeeyyJQc/7lu7D kUiUu9MOjC3o8dPE8E7otMnD51xfj8SNvs5h7cZAMByS0Qk06RwK+O5POkBlXUMV lVxgPJsC7LfqJJ/VGLb5uOIoXMUCGV3mzdDXA+Pe+xvTTGOT+8rNsPl7kwxAGYqC vPVrY1dC6CzRX8/7etvb99UHf2nx0NbYRAvetZzh9j6WBbMqGBgHMndRh6i6Y7Fl BioG+J22sXCQjf3ydRvjd8cznlfvBCTqo9zSqeoG7Ha/qSh1pX16KAUxLi1YGzK6 I79iqOEvpoxwS/9Ym+GB+4rLTimqhtDKN7v3XaQudJ8t6hMlGi+pqjiLhNI8q2c9 dd3RthLu+Zom4duwnGo0BJEVC+CDLYGcdiwCKOpLaI9KtQbCv6useALPBk5RKPHr pE1Y7nTmBw7Rxl2GuaNOH9x5cHOuULfWW+HLm3JSwTjD4cpAxnFDP7qYINSo7XGR HGWK/43B5syf6FhZws8N =h+H0 -----END PGP SIGNATURE----- gnu: Add python-pythondialog. * gnu/packages/python.scm (python-pythondialog): New variable. (python2-pythondialog): Inherit from PYTHON-PYTHONDIALOG. Co-authored-by: Vincent Legoll The hook currently greps for `^gpgsig '. It will indeed find a GPG signature if it exists, but to circumvent it, an attacker need only put `gpgsig' in the commit message at column 0---the commit messages aren't indented in the output. You can replace the entire loop in the hook with this: git log --pretty='%GK %h %s' "$rev_old^..$rev_new" \ | awk '/^ / { e=1 print "error: missing signature:" $0 > "/dev/stderr" } END { exit e }' If the commit is not signed, then `%GK` (GPG key id) will yield an empty string. Here's some example output (run with HEAD~15..): error: missing signature: 7ccb874 gnu: zsh: Move to shells.scm. error: missing signature: 7977d76 Update NEWS. _______________________________________________________ Reply to this item at: _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/