Home/ Questions/Q 748055
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T14:16:33+00:00

I know how to configure the Mercurial signing extension . The problem that I’m

  • 0

I know how to configure the Mercurial signing extension. The problem that I’m having is that I don’t want to sign each individual change set, I only want to sign revisions that introduce new version tags.

That’s easily accomplished locally, however I can’t come up with a way to enforce this on the remote server. I’d like people to continue to be able to push their changes as normal, unless adding a release tag, which should be accompanied by a signature.

The end result should be that anyone cloning our repository can easily see a list of signed revisions, which point to a list of signed releases.

Hopefully, I’ve just missed something obvious in hooklib. Has anyone else accomplished this, if so, how?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could do it on the server with a pretxnchangegroup hook. More efficient in-process in python, but off the top of my head in shell you’d do:

    In your hgrc:

    [hook]
pretxnchangegroup = all-tags-checked.sh

    and in all-tags-checked.sh:

    for therev in $(seq $(hg id -n -r $HG_NODE) $(hd id -n -r tip)) ; do
   if hg log --template '{files}' -r $therev | grep --quiet '^.hgtags' ; then
      if hg sigcheck $therev | grep --quiet '^No valid' ; then
         exit 1
      fi
   fi
done

    That goes through every new changeset and checks to make sure that if it edits .hgtags (add a tag) then it must also be signed.

    Is that what you’re looking for?

    • 0