Rev 5972: (jr) * Do not treat configuration option 'check_signatures = require' as if in file:///home/pqm/archives/thelove/bzr/%2Btrunk/
Canonical.com Patch Queue Manager
pqm at pqm.ubuntu.com
Tue Jun 14 10:47:25 UTC 2011
At file:///home/pqm/archives/thelove/bzr/%2Btrunk/
------------------------------------------------------------
revno: 5972 [merge]
revision-id: pqm at pqm.ubuntu.com-20110614104720-gpqe299xphd8069e
parent: pqm at pqm.ubuntu.com-20110614095654-xgw6kju0oxw1gp1z
parent: jriddell at canonical.com-20110614092136-jzsa44aqen0vjrlz
committer: Canonical.com Patch Queue Manager <pqm at pqm.ubuntu.com>
branch nick: +trunk
timestamp: Tue 2011-06-14 10:47:20 +0000
message:
(jr) * Do not treat configuration option 'check_signatures = require' as if
it were 'create_signatures = always'. * Make docs for configuration options
for digital signatures match reality. * Add user-guide page on GPG
signatures. (Jonathan Riddell)
added:
doc/en/user-guide/gpg_signatures.txt gpg_signatures.txt-20110613144839-bhiqfi9k0khol2vm-1
modified:
bzrlib/config.py config.py-20051011043216-070c74f4e9e338e8
bzrlib/help_topics/en/configuration.txt configuration.txt-20060314161707-868350809502af01
doc/en/release-notes/bzr-2.4.txt bzr2.4.txt-20110114053217-k7ym9jfz243fddjm-1
doc/en/user-guide/index.txt indexfor2x.txt-20090722150335-qt9yh29f930m4v0r-1
=== modified file 'bzrlib/config.py'
--- a/bzrlib/config.py 2011-06-03 07:32:01 +0000
+++ b/bzrlib/config.py 2011-06-14 10:47:20 +0000
@@ -144,7 +144,6 @@
interpolation=False,
**kwargs)
-
def get_bool(self, section, key):
return self[section].as_bool(key)
@@ -493,10 +492,10 @@
if policy is None:
policy = self._get_signature_checking()
if policy is not None:
+ #this warning should go away once check_signatures is
+ #implemented (if not before)
trace.warning("Please use create_signatures,"
" not check_signatures to set signing policy.")
- if policy == CHECK_ALWAYS:
- return True
elif policy == SIGN_ALWAYS:
return True
return False
@@ -545,7 +544,7 @@
return tools
def find_merge_tool(self, name):
- # We fake a defaults mechanism here by checking if the given name can
+ # We fake a defaults mechanism here by checking if the given name can
# be found in the known_merge_tools if it's not found in the config.
# This should be done through the proposed config defaults mechanism
# when it becomes available in the future.
=== modified file 'bzrlib/help_topics/en/configuration.txt'
--- a/bzrlib/help_topics/en/configuration.txt 2011-06-10 07:01:07 +0000
+++ b/bzrlib/help_topics/en/configuration.txt 2011-06-14 10:47:20 +0000
@@ -386,7 +386,8 @@
check_signatures
~~~~~~~~~~~~~~~~
-Defines the behavior for signatures.
+Reserved for future use. These options will allow a policy for branches to
+require signatures.
require
The gnupg signature for revisions must be present and must be valid.
@@ -402,18 +403,22 @@
create_signatures
~~~~~~~~~~~~~~~~~
-Defines the behaviour of signing revisions.
+Defines the behaviour of signing revisions on commits. By default bzr will not
+sign new commits.
always
- Sign every new revision that is committed.
+ Sign every new revision that is committed. If the signing fails then the
+ commit will not be made.
when-required
- (default) Sign newly committed revisions only when the branch requires
- signed revisions.
+ Reserved for future use.
never
- Refuse to sign newly committed revisions, even if the branch
- requires signatures.
+ Reserved for future use.
+
+In future it is planned that ``when-required`` will sign newly
+committed revisions only when the branch requires them. ``never`` will refuse
+to sign newly committed revisions, even if the branch requires signatures.
recurse
~~~~~~~
=== modified file 'doc/en/release-notes/bzr-2.4.txt'
--- a/doc/en/release-notes/bzr-2.4.txt 2011-06-14 09:56:54 +0000
+++ b/doc/en/release-notes/bzr-2.4.txt 2011-06-14 10:47:20 +0000
@@ -15,6 +15,9 @@
.. These may require users to change the way they use Bazaar.
+* Do not treat configuration option 'check_signatures = require' as if
+ it were 'create_signatures = always' (Jonathan Riddell)
+
New Features
************
@@ -93,6 +96,11 @@
* Improve documentation of ``bzr merge --force``.
(Neil Martinsen-Burrell, #767307)
+* Make docs for configuration options for digital signatures match
+ reality. (Jonathan Riddell)
+
+* Add user-guide page on GPG signatures. (Jonathan Riddell)
+
API Changes
***********
=== added file 'doc/en/user-guide/gpg_signatures.txt'
--- a/doc/en/user-guide/gpg_signatures.txt 1970-01-01 00:00:00 +0000
+++ b/doc/en/user-guide/gpg_signatures.txt 2011-06-14 09:21:36 +0000
@@ -0,0 +1,95 @@
+GnuPG Signatures
+=============================
+
+Reasons to Sign Your Repository
+--------------------------------
+
+Bazaar can sign revisions using GnuPG, a Free Software implementation of the
+OpenPGP digital signature format. By signing commits a person wanting to
+make use of a branch can be confident where the code came from, assuming the
+GnuPG keys used can be verified. This could for example prevent worry about
+compromised code in the case where a server hosting Bazaar branches has been
+hacked into. It could also be used to verify that all code is written by a
+select group of people, such as if contributor agreements are needed.
+
+Signatures are passed around with commits during branch, push, merge and other
+operations.
+
+Setting up GnuPG
+--------------
+
+There are many guides to creating a digital signature key with GnuPG. See
+for example the `GnuPG Handbook
+<http://www.gnupg.org/gph/en/manual.html#AEN26>`_ or the `Launchpad Wiki
+<https://help.launchpad.net/YourAccount/ImportingYourPGPKey>`_.
+
+
+Signing Commits
+---------------
+
+To sign commits as they are made turn on the ``create_signatures``
+configuration option in your ``bazaar.conf`` or ``locations.conf`` file::
+
+ create_signatures = always
+
+When you next make a commit it will ask for the pass phrase for your GnuPG key.
+If you want GnuPG to remember your password ensure you have ``gnupg-agent``
+installed.
+
+To sign previous commits to a branch use ``sign-my-commits``. This will go
+through all revisions in the branch and sign any which match your
+commit name. You can also pass the name of a contributor to ``sign-my-commits``
+to sign someone else's commits or if your GnuPG key does not match your Bazaar
+name and e-mail::
+
+ bzr sign-my-commits . "Amy Pond <amy at example.com>"
+
+It will not sign commits which already have a signature.
+
+To sign a single commit or a range of commits use the (hidden) command
+``re-sign``::
+
+ bzr re-sign -r 24
+
+``re-sign`` is also useful to change an existing signature.
+
+Verifying Commits
+-----------------
+
+Unfortunately there is currently no command for verifying signatures. This can
+be done manually using bzrlib and Python::
+
+ >>> from bzrlib.branch import Branch
+ >>> b = Branch.open('/home/amy/src/daleks')
+ >>> b.last_revision()
+ 'amy at example.com-20110527185938-hluafawphszb8dl1'
+ >>> print b.repository.get_signature_text(b.last_revision())
+ -----BEGIN PGP SIGNED MESSAGE-----
+ Hash: SHA1
+
+ bazaar-ng testament short form 1
+ revision-id: amy at example.com-20110527185938-hluafawphszb8dl1
+ sha1: 6411f9bdf6571200357140c9ce7c0f50106ac9a4
+ -----BEGIN PGP SIGNATURE-----
+ Version: GnuPG v1.4.11 (GNU/Linux)
+
+ iEYEARECAAYFAk32HFcACgkQpQbm1N1NUIiBXACg6ILsyvJp4+Twq190qk1I4v9K
+ PAAAoI8pg9s7uuqldqOwz6/uwH3ezdSX
+ =+NcB
+ -----END PGP SIGNATURE-----
+
+The signature can be saved to a file and verified with ``gpg --verify
+signature.txt``.
+
+The signed SHA1 checksum is made from the ``bzr testament --long`` command
+which includes information on the committer and a list of all files in that
+commit along with their checksums. So if the signature is valid you can be
+sure you are looking at the same code as the person who made the signature.
+
+Work in Progress
+----------------
+
+There is still a number of digital signature related features which are hoped
+to be added to Bazaar soon. These include easy verificiation, qbzr
+integration, signing with different keys and setting branches to require
+signatures.
=== modified file 'doc/en/user-guide/index.txt'
--- a/doc/en/user-guide/index.txt 2011-05-16 10:22:06 +0000
+++ b/doc/en/user-guide/index.txt 2011-06-13 14:08:28 +0000
@@ -103,6 +103,7 @@
server
hooks
version_info
+ gpg_signatures
A brief tour of some popular plugins
More information about the bazaar-commits
mailing list