commit 69e206f575b40ab33c6dbe34a23001a31a4f316f
Author: Gus Kenion <gkenion@noreply@src.opensuse.org>
Date:   Thu Apr 18 15:30:36 2024 +0200

    initial commit
    
    Signed-off-by: Gus Kenion <gkenion@noreply@src.opensuse.org>

diff --git a/git_multisig.sh b/git_multisig.sh
new file mode 100644
index 0000000..65f422e
--- /dev/null
+++ b/git_multisig.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+run_id=`date -u '+%Y%m%d%H%M%S'`
+
+add_sig ()
+{
+	local git_hash=$2
+	local key_id=$3
+	
+	# Fetch existing data from git
+
+	local message=`git cat-file -p ${git_hash} | sed -n '/-----BEGIN PGP/,/-----END PGP/b;p'`
+
+	# Output dearmored keys to files because bash variables don't play nicely with binary blobs
+	prev_sig_filename="prev.sig.${run_id}.tmp.gpg"
+	git cat-file -p ${git_hash} | sed -n '/-----BEGIN PGP/,/-----END PGP/p' | sed 's/gpgsig //g' | gpg --dearmor > ${prev_sig_filename}
+
+	new_sig_filename="new.sig.${run_id}.tmp.gpg"
+	echo -e "${message}" | gpg -u ${key_id} -o ${new_sig_filename} --detach-sig
+	local res=$?
+	if [ $res -ne 0 ]
+	then
+		echo "Failed to generate new signature!"
+		exit $res
+	fi
+	
+	local combined_sig=`cat ${prev_sig_filename} ${new_sig_filename} | gpg --enarmor`
+	res=$?
+	if [ $res -ne 0 ]
+	then
+		echo "Failed to combine signatures!"
+		exit $res
+	fi
+	
+
+	# Delete temporary signature files
+	rm ${prev_sig_filename} ${new_sig_filename}
+
+	echo -e "${message}\n${combined_sig}"
+
+	# Hash and write git object
+	echo -e "${message}\n${combined_sig}" | git hash-object -t commit -w --stdin
+
+	return $?
+}
+
+verify_sig ()
+{
+	local keyring_path=$2
+	local git_hash=$3
+
+	local message_filename=msg.${run_id}.tmp.txt
+	git cat-file -p ${git_hash} | sed -n '/-----BEGIN PGP/,/-----END PGP/b;p' > ${message_filename}
+
+	local sig_filename=verify.sig.${run_id}.tmp.asc
+	git cat-file -p ${git_hash} | sed -n '/-----BEGIN PGP/,/-----END PGP/p' | sed 's/gpgsig //g' > ${sig_filename}
+
+	gpgv2 --keyring ${keyring_path} ${sig_filename} ${message_filename}
+	local res=$?
+
+	rm ${message_filename} ${sig_filename}
+	exit $res
+}
+
+
+USAGE="Usage: $0 add {hash of commit to sign} {key to use}\nOR\n$0 verify {path to keyring} {commit hash}"
+
+if [ $1 = "add" ]
+then
+	add_sig $*
+	exit $?
+elif [ $1 = "verify" ]
+then
+	verify_sig $*
+	exit $?
+else
+	echo "$USAGE"
+	exit 1
+fi