Merge bitcoin#22744: ci: Re-enable verify-commits.py check

fa00160 ci: Re-enable verify-commits.py check (MarcoFalke)
fa880b1 ci: Unconditionally set the global git author name in cirrys.yml (MarcoFalke)

Pull request description:

  Might be useful to detect bugs in the script itself or an accidentally missed signature.

ACKs for top commit:
  josibake:
    ACK bitcoin@fa00160
  Zero-1729:
    tACK fa00160
  fanquake:
    untested ACK fa00160

Tree-SHA512: 8a13a67d325f2477f4088d1034f0d5e4e04937a01ee3c738435fe66394c02b9f33225529952ad331b0ba19b63ca4b2f26911cb5d264890159840cf3e09085969

Author: fanquake

.cirrus.yml

@@ -13,11 +13,13 @@ env:
 base_template: &BASE_TEMPLATE
   skip: $CIRRUS_REPO_FULL_NAME == "bitcoin-core/gui" && $CIRRUS_PR == ""  # No need to run on the read-only mirror, unless it is a PR. https://cirrus-ci.org/guide/writing-tasks/#conditional-task-execution
   merge_base_script:
-    - if [ "$CIRRUS_PR" = "" ]; then exit 0; fi
+    # Unconditionally install git (used in fingerprint_script) and set the
+    # default git author name (used in verify-commits.py)
     - bash -c "$PACKAGE_MANAGER_INSTALL git"
-    - git fetch $CIRRUS_REPO_CLONE_URL $CIRRUS_BASE_BRANCH
     - git config --global user.email "[email protected]"
     - git config --global user.name "ci"
+    - if [ "$CIRRUS_PR" = "" ]; then exit 0; fi
+    - git fetch $CIRRUS_REPO_CLONE_URL $CIRRUS_BASE_BRANCH
     - git merge FETCH_HEAD  # Merge base to detect silent merge conflicts
   stateful: false  # https://cirrus-ci.org/guide/writing-tasks/#stateful-tasks
 

ci/lint/06_script.sh

@@ -28,9 +28,14 @@ test/lint/git-subtree-check.sh src/leveldb
 test/lint/check-doc.py
 test/lint/all-lint.py
 
-if [ "$CIRRUS_REPO_FULL_NAME" = "dashpay/dash" ] && [ -n "$CIRRUS_CRON" ]; then
-    git log --merges --before="2 days ago" -1 --format='%H' > ./contrib/verify-commits/trusted-sha512-root-commit
+if [ "$CIRRUS_REPO_FULL_NAME" = "dashpay/dash" ] && [ "$CIRRUS_PR" = "" ] ; then
+    # Sanity check only the last few commits to get notified of missing sigs,
+    # missing keys, or expired keys. Usually there is only one new merge commit
+    # per push on the master branch and a few commits on release branches, so
+    # sanity checking only a few (10) commits seems sufficient and cheap.
+    git log HEAD~10 -1 --format='%H' > ./contrib/verify-commits/trusted-sha512-root-commit
+    git log HEAD~10 -1 --format='%H' > ./contrib/verify-commits/trusted-git-root
     mapfile -t KEYS < contrib/verify-commits/trusted-keys
     ${CI_RETRY_EXE} gpg --keyserver hkps://keys.openpgp.org --recv-keys "${KEYS[@]}" &&
-    ./contrib/verify-commits/verify-commits.py --clean-merge=2;
+    ./contrib/verify-commits/verify-commits.py;
 fi