From 7a2914b504ed0dfca6d2dcd923b660052217cccb Mon Sep 17 00:00:00 2001
From: Gavin Nishizawa <gavin@terrastruct.com>
Date: Thu, 12 Oct 2023 13:37:40 -0700
Subject: [PATCH] setup empty allowed signers to check ssh signature status

---
 .gitignore |  1 +
 lib.sh     | 14 +++++++++++++-
 lib/git.sh | 14 +++++++++++++-
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 16e19f3..90fa38f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .changed-files
+.emptyAllowedSigners
diff --git a/lib.sh b/lib.sh
index 2dc3032..d54c882 100644
--- a/lib.sh
+++ b/lib.sh
@@ -335,7 +335,8 @@ ensure_signed() {
     return
   fi
 
-  # look for signature status N: no signature
+  setup_allowed_signers
+  # look for signature status N: no signature (verification done by github)
   if [ ! "$(git log --format="%G?" ${GIT_BASE:+"$GIT_BASE..HEAD"} | grep "N")" ]; then
     return
   fi
@@ -344,6 +345,17 @@ ensure_signed() {
   return 1
 }
 
+setup_allowed_signers() {
+  # we only care if a signature is present (github will verify) so we don't need any entries,
+  # but "gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification"
+  if git config --get gpg.ssh.allowedSignersFile >/dev/null; then
+    return
+  fi
+  allowed_signers=".emptyAllowedSigners"
+  touch $allowed_signers
+  git config --local gpg.ssh.allowedSignersFile "$allowed_signers"
+}
+
 git_commit_count() {
   # macOS sh is buggy and requires the subshell here.
   (git rev-list HEAD --count 2>/dev/null) || echo 0
diff --git a/lib/git.sh b/lib/git.sh
index 6a7de27..92ebbc1 100644
--- a/lib/git.sh
+++ b/lib/git.sh
@@ -177,7 +177,8 @@ ensure_signed() {
     return
   fi
 
-  # look for signature status N: no signature
+  setup_allowed_signers
+  # look for signature status N: no signature (verification done by github)
   if [ ! "$(git log --format="%G?" ${GIT_BASE:+"$GIT_BASE..HEAD"} | grep "N")" ]; then
     return
   fi
@@ -186,6 +187,17 @@ ensure_signed() {
   return 1
 }
 
+setup_allowed_signers() {
+  # we only care if a signature is present (github will verify) so we don't need any entries,
+  # but "gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification"
+  if git config --get gpg.ssh.allowedSignersFile >/dev/null; then
+    return
+  fi
+  allowed_signers=".emptyAllowedSigners"
+  touch $allowed_signers
+  git config --local gpg.ssh.allowedSignersFile "$allowed_signers"
+}
+
 git_commit_count() {
   # macOS sh is buggy and requires the subshell here.
   (git rev-list HEAD --count 2>/dev/null) || echo 0