Add submodule verification to git sanity checks#6
Merged
adrelanos merged 1 commit intoKicksecure:masterfrom Apr 1, 2026
Merged
Conversation
Verify each submodule's HEAD commit using sq-git after the main repository checks pass. The parent repository's policy file and trust root are reused for submodule verification, keeping signing policy centralized. Also verify submodules in derivative-update after submodule update steps (both tag checkout and branch merge paths). https://claude.ai/code/session_01KXLzqaVR92tYzqpg6Cpatq
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds verification of git submodules to the sanity check and update workflows. A new
git_submodule_verify()function is introduced to validate the integrity of all initialized submodules in the repository.Key Changes
git_submodule_verify()function: Iterates through all submodules defined in.gitmodules, verifies that they are initialized, and validates the signature of each submodule's HEAD commit using the parent repository's centralized signing policygit_sanity_test_main(): Added submodule verification as part of the standard git sanity checksupdate_repo(): Added submodule verification in two locations:Implementation Details
openpgp-policy.tomlfor all submodule verification, maintaining a centralized signing policy across all repositoriespushd/popdand includes error handling for failed operations.gitmodulesusinggrepandawkhttps://claude.ai/code/session_01KXLzqaVR92tYzqpg6Cpatq