how to verify gpg-signed commits
John Arbash Meinel
john at arbash-meinel.com
Sun May 7 04:06:27 BST 2006
guillaume pernot wrote:
> hi,
>
> i'm new to bazaar-ng, and start exploring its great functionnalities.
>
> once i've signed my commits with `bzr sign-my-commits`, how can i verify
> signature ? `bzr testament` output looks a bit cryptic to me...
>
> regards,
> guillaume pernot
>
>
I have a plugin available from here:
http://bzr.arbash-meinel.com/plugins/bzr/signing/
It provides the command 'bzr verify-sigs', which will run 'gpg --verify'
for every signature found.
The reason it isn't in bzr core, is that we really wanted to do the
verification properly, using something like 'libgpgme'. This was just my
quick hack to allow some integrity checking.
Once we decide what library to use, bzr should check signatures before
any sort of action (like pulling/merging/etc).
I just updated it to work with the latest bzr.dev code. (If you are
using the 0.7 release you want revno 7 of the plugin)
I also updated it, so that it not only runs 'gpg --verify-sigs' for each
signature, but it also creates a new testament, and makes sure the
signed testament matches the one that was signed.
In the future, I think we might also want to try and match the gpg
signing key username with the revision committer username. (Though we
have discussed letting someone sign someone else's commit as sort of a
'vote of confidence')
John
=:->
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060506/d1553fa5/attachment.pgp
More information about the bazaar
mailing list