Overcommit 0.29.0

Edit: This release ended up having a different bug related to signing hooks. Please use 0.29.1 or newer (but still read these release notes for details)

This release includes an important security patch relevant for developers who use Overcommit in open source projects. Special thanks to @danuker for responsibly disclosing the issue.

The most notable change with signature verification is that now you'll need to run overcommit --sign if you are running Overcommit for your repo for the very first time, regardless of whether you have it enabled. This means CI runs will need to include overcommit --sign before overcommit --run if you use that feature, since services like Travis create a new git repo for each run.

Security Fix

• Fix vulnerability where disabling signature verification would not be caught
  by signature verification, allowing an attacker to bypass the check. If you
  disable signature verification in your configuration, you must rename the
  option to verify_signatures and should audit your hooks. Make sure to uninstall any version of Overcommit before 0.29.0, otherwise an attacker could simply downgrade your version via the Gemfile to run a vulnerable version

New Features

• Allow nested arrays in include and exclude options so lists of file
  glob patterns can be shared across hook configurations via YAML references
• Add NginxTest pre-commit hook that checks nginx configuration files with
  nginx -t
• Respect core.commentchar configuration when reading commit messages

Changes

• Rename verify_plugin_signatures to verify_signatures

Bug Fixes

• Fix Jscs pre-commit hook to handle the new jscs
  exit codes introduced
  as of 2.2.0
• Fix Scalastyle pre-commit hook to fail with non-zero exit statuses