[merge] bzr re-sign update
John A Meinel
john at arbash-meinel.com
Wed Feb 15 15:15:55 GMT 2006
Robert Collins wrote:
> On Tue, 2006-02-14 at 21:21 -0600, John A Meinel wrote:
...
>> It basically just verifies each signature (as though you did find
>> .bzr/revision-store -name '*.sig' | xargs gpg --verify-files), but it
>> generates aggregate statistics, which means that the output is much more
>> manageable.
>
> What are you using to verify ? (just gpg ?)
Well, I'm using "gpg_signing_command", which may be incorrect, and it
may be better to just use gpg.
But I use the fact that gpg returns 0 if it verifies, 1 if it is
invalid, and 2 if it can't verify.
And then my --batch mode spawns gpg with a bunch of signatures at once,
assuming that the bulk will verify. If it fails, then it breaks it up
and finds the bad ones. (This has been tested because I didn't have
James Henstridges' public key).
>
>> I'm also happy to report that all signatures verify in my
>> jam-integration branch. We have 5 signatures from jamesh, 100 from
>> Robert Collins, and 413 from myself. (I went back and signed all of my
>> commits).
>
> Cool. I'd love for sign-my-commits to be builtin. +1 for you doing that
> if you add some smoke tests. :)
I'll look into that.
>
> For validation, plain old gpg is fine for non-policy validation, and its
> a good start, but I suspect we'll need gpgme in one form or another for
> things like 'permit anyone with a uid matching the committer id and
> level 2 confidence in that uid'. (there is a new wrapper that is much
> nicer than pyme that I'm tracking down at the moment).
>
> But it would rock to start fleshing out the validation side of the gpg
> stuff in bzr core.
I understand that long term we want to do all sorts of fancy policy
level stuff. Right now I just wanted something to say that all of my
signatures are indeed valid.
I suppose I would actually need 1 further level of validation, which
computes the testament for the specific revision, and makes sure that it
matches what was signed. (Right now I just make sure the signature all
by itself is valid).
>
> Rob
>
John
=:->
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060215/5fb13913/attachment.pgp
More information about the bazaar
mailing list