die $!;
}
-sub recordreject ($) {
+sub recorderror ($) {
my ($why) = @_;
my $w = $ENV{'DGIT_DRS_WORK'}; # we are in stunthook
if (defined $w) {
- open REJ, ">", "$w/drs-reject" or die $!;
- print REJ $why, "\n" or die $!;
- close REJ or die $!;
+ chomp $why;
+ open ERR, ">", "$w/drs-error" or die $!;
+ print ERR $why, "\n" or die $!;
+ close ERR or die $!;
+ return 1;
}
+ return 0;
}
sub reject ($) {
my ($why) = @_;
- recordreject $why;
+ recorderror "reject: $why";
die "dgit-repos-server: reject: $why\n";
}
sub maybeinstallprospective () {
return if $destrepo eq $realdestrepo;
- if (open REJ, "<", "$workrepo/drs-reject") {
- $!=0; my $why = <REJ>;
- chomp $why or die $!;
- reject $why;
+ if (open REJ, "<", "$workrepo/drs-error") {
+ local $/ = undef;
+ my $msg = <REJ>;
+ REJ->error and die $!;
+ print STDERR $msg;
+ exit 1;
} else {
$!==&ENOENT or die $!;
}
m/^(\S+) (\S+) (\S+)$/ or die "$_ ?";
my ($old, $sha1, $refname) = ($1, $2, $3);
if ($refname =~ m{^refs/tags/(?=debian/)}) {
- die if defined $tagname;
+ reject "pushing multiple tags!" if defined $tagname;
$tagname = $'; #';
$tagval = $sha1;
reject "tag $tagname already exists -".
" not replacing previously-pushed version"
if $old =~ m/[^0]/;
} elsif ($refname =~ m{^refs/dgit/}) {
- die if defined $suite;
+ reject "pushing multiple heads!" if defined $suite;
$suite = $'; #';
$oldcommit = $old;
$commit = $sha1;
} else {
- die;
+ reject "pushing unexpected ref!";
}
}
STDIN->error and die $!;
- die unless defined $tagname;
- die unless defined $suite;
+ reject "push is missing tag ref update" unless defined $tagname;
+ reject "push is missing head ref update" unless defined $suite;
debug " updates ok.";
}
for (;;) {
print PT or die $!;
- $!=0; $_=<T>; defined or die $!;
+ $!=0; $_=<T>; defined or die "missing signature? $!";
last if m/^-----BEGIN PGP/;
}
for (;;) {
while (<DT>) {
m/^fingerprint:\s+$keyid$/oi
..0 or next;
- m/^\S/
- or reject "key $keyid missing Allow section in permissions!";
+ if (s/^allow:/ /i..0) {
+ } else {
+ m/^./
+ or reject "key $keyid missing Allow section in permissions!";
+ next;
+ }
# in right stanza...
- s/^allow:/ /i
- ..0 or next;
- s/^\s+//
+ s/^[ \t]+//
or reject "package $package not allowed for key $keyid";
# in allow field...
s/\([^()]+\)//;
reject "unknown suite";
}
+sub tagh1 ($) {
+ my ($tag) = @_;
+ my $vals = $tagh{$tag};
+ reject "missing tag $tag in signed tag object" unless $vals;
+ reject "multiple tags $tag in signed tag object" unless @$vals == 1;
+ return $vals->[0];
+}
+
sub checks () {
debug "checks";
checksuite();
- tagh1('type') eq 'commit' or die;
- tagh1('object') eq $commit or die;
- tagh1('tag') eq $tagname or die;
+ tagh1('type') eq 'commit' or reject "tag refers to wrong kind of object";
+ tagh1('object') eq $commit or reject "tag refers to wrong commit";
+ tagh1('tag') eq $tagname or reject "tag name in tag is wrong";
my $v = $version;
$v =~ y/~:/_%/;
sub stunthook () {
debug "stunthook";
- print Dumper(\$ENV{GIT_DIR});
chdir $workrepo or die "chdir $workrepo: $!";
mkdir "dgit-tmp" or $!==EEXIST or die $!;
readupdates();
defined($destrepo = $ENV{'DGIT_DRS_DEST'}) or die;
defined($keyrings = $ENV{'DGIT_DRS_KEYRINGS'}) or die $!;
open STDOUT, ">&STDERR" or die $!;
- stunthook();
+ eval {
+ stunthook();
+ };
+ if ($@) {
+ recorderror "$@" or die;
+ die $@;
+ }
exit 0;
}