[PATCH] Add a sample hook which saves push certs as notes

[Shikher Verma <root@shikherverma.com>]

hooks--post-receive.sample: If push cert is present, add it as a git
note to the top most commit of the updated ref.

Signed-off-by: Shikher Verma <root@shikherverma.com>
---
 templates/hooks--post-receive.sample | 38 ++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100755 templates/hooks--post-receive.sample

diff --git a/templates/hooks--post-receive.sample b/templates/hooks--post-receive.sample
new file mode 100755
index 000000000..b4366e43f
--- /dev/null
+++ b/templates/hooks--post-receive.sample
@@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# An example hook script to store push certificates as notes.
+#
+# To enable this hook, rename this file to "post-receive".
+#
+# The stdin of the hook will be one line for each updated ref:
+# <old-id> <new-id> <refname>
+#
+# For each updated ref this script will :
+# 1. Verify that the ref update matches that in push certificate.
+# 2. add the push cert as note (namespace pushcerts) to <new-id>.
+#
+# If this hook is enabled on the server then clients can prevent
+# git metadata tampering, by using signed pushes and 
+# doing the following while fetching :
+# 1. fetch the git notes (of namespace pushcerts) from server.
+#     $ git fetch origin refs/notes/pushcerts:refs/notes/pushcerts
+# 2. Check that the fetched ref's top most commit has a note
+#     containing a push certificate.
+# 3. Verify the validity of the push certificate in the note and 
+#     check that the ref update matches that in push certificate.
+#
+
+if test -z GIT_PUSH_CERT ; then
+    exit 0
+fi
+
+push_cert=$(git cat-file -p  $GIT_PUSH_CERT)
+
+while read oval nval ref
+do
+	# Verify that the ref update matches that in push certificate.
+	if [[ $push_cert == *$oval" "$nval" "$ref* ]]; then
+		# add the push cert as note (namespaced pushcerts) to nval.
+		git notes --ref=pushcerts add -m "$push_cert" $nval -f
+	fi
+done
-- 
2.15.0