summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2014-06-10 15:49:17 -0400
committerJoey Hess2014-06-10 15:49:17 -0400
commitdd554e20b999fbd24ae15e7ee96556ff52d9f0cc (patch)
tree705c71bb5047cc3f74252c6efb05a3db3bd2385a
parentf65cd1500fca2bb7f44e1c76f07821d7ecf5b132 (diff)
When git gpg signature of a fetched git branch cannot be verified, propellor will now continue running, but without merging in that branch.
This way, propellor doesn't stop enforcing properties just because its new configuration isn't ready. It just uses the old configuration.
-rw-r--r--debian/changelog2
-rw-r--r--src/Propellor/CmdLine.hs7
2 files changed, 6 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index b7303cb3..58ab7ba7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ propellor (0.7.0) UNRELEASED; urgency=medium
failure.
* Attr is renamed to Info.
* Renamed wrapper to propellor to make cabal installation of propellor work.
+ * When git gpg signature of a fetched git branch cannot be verified,
+ propellor will now continue running, but without merging in that branch.
-- Joey Hess <joeyh@debian.org> Sat, 07 Jun 2014 00:12:44 -0400
diff --git a/src/Propellor/CmdLine.hs b/src/Propellor/CmdLine.hs
index 06a5921d..32e97316 100644
--- a/src/Propellor/CmdLine.hs
+++ b/src/Propellor/CmdLine.hs
@@ -132,6 +132,8 @@ updateFirst cmdline next = do
void $ actionMessage "Git fetch" $ boolSystem "git" [Param "fetch"]
+ oldsha <- getCurrentGitSha1 branchref
+
whenM (doesFileExist keyring) $ do
{- To verify origin branch commit's signature, have to
- convince gpg to use our keyring. While running git log.
@@ -153,10 +155,9 @@ updateFirst cmdline next = do
then do
putStrLn $ "git branch " ++ originbranch ++ " gpg signature verified; merging"
hFlush stdout
- else errorMessage $ "git branch " ++ originbranch ++ " is not signed with a trusted gpg key; refusing to deploy it!"
+ void $ boolSystem "git" [Param "merge", Param originbranch]
+ else warningMessage $ "git branch " ++ originbranch ++ " is not signed with a trusted gpg key; refusing to deploy it! (Running with previous configuration instead.)"
- oldsha <- getCurrentGitSha1 branchref
- void $ boolSystem "git" [Param "merge", Param originbranch]
newsha <- getCurrentGitSha1 branchref
if oldsha == newsha