local/require-signed-push: handle more GIT_PUSH_CERT_STATUS error casesgithooks-20200406T165739Z

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

1 files changed, 16 insertions, 5 deletions

diff --git a/local/require-signed-push b/local/require-signed-push
index e1f5213..1c10609 100755
--- a/local/require-signed-push
+++ b/local/require-signed-push
@@ -146,12 +146,23 @@ case ${VERIFY_SIGS} in
 esac
 
 # Now validate
+# see git-log(1) %G
+# 2020/04/06: BGUXYREN
 case $GIT_PUSH_CERT_STATUS in
 	# Good
 	G) ;;
 
+	# signature itself has expired
+	X) fail_signed_push "FAIL: push certificate signature is expired" ;;
+
+	# key is expired, but the good signature is otherwise good
+	Y) fail_signed_push "FAIL: key used for push certificate is expired" ;;
+
+	# good signature made by an revoked key
+	R) fail_signed_push "FAIL: key used for push certiticate is revoked" ;;
+
 	# Bad
-	B) fail_signed_push "Bad signature" ;;
+	B) fail_signed_push "FAIL: signature on push certificate is bad" ;;
 
 	# Untrusted good
 	U) ;; # TODO: deny this later
@@ -160,21 +171,21 @@ case $GIT_PUSH_CERT_STATUS in
 	# No signature
 	N)
 		if [ -z "$GIT_PUSH_CERT" ]; then
-			fail_signed_push "No signature found"
+			fail_signed_push "FAIL: no push certifiate found"
 		else
-			fail_signed_push "Push cert with no signature" # wtf?
+			fail_signed_push "FAIL: push certificate with no signature" # wtf?
 		fi
 		;;
 
 	# Can't verify -- usually means unknown key
 	E)
 		if [[ ${VERIFY_SIGS} != no ]]; then
-			fail_signed_push "Unknown OpenPGP key"
+			fail_signed_push "FAIL: Unknown OpenPGP key used for push certificate"
 		fi
 		;;
 
 	# Future-proof
-	*) fail_signed_push "Unknown GIT_PUSH_CERT_STATUS" ;;
+	*) fail_signed_push "FAIL: Unknown GIT_PUSH_CERT_STATUS" ;;
 
 esac