how to verify gpg-signed commits
Martin Pool
mbp at canonical.com
Thu May 11 03:16:30 BST 2006
On 11 May 2006, James Henstridge <james.henstridge at gmail.com> wrote:
> The alternative is to give up on clearsigned signatures, and store the
> testament plus one or more signature blocks for that testament. Are
> you signing their revision or signing the revision plus the fact that
> the other person signed the revision? If you do use nested
> clearsigned blocks, will bzr care about which way they are nested?
>
> Detached signatures also don't seem to be susceptible to the
> concatenation problem. It is also pretty easy to convert a
> clearsigned block to plaintext + a detached signature block if the
> change is worth making.
Yes, using detached signatures does seem simpler.
--
Martin
More information about the bazaar
mailing list