On 12/21/17, jungle Boogie <[email protected]> wrote: > > How are the signatures verified?
Signatures are not verified, at the moment. Probably each repository would have a set of trusted public keys. Then as each check-in is received via push (or during a rebuild) those with signatures have the signatures verified using the set of trusted keys. Those for which the keys are unknown get marked as signed but unverified. The signatures are currently generated by running gpg in a separate process. I suppose the verification step could do something similar. Hey - I suppose there is a fourth state: (4) Forgery: The signature does not match. -- D. Richard Hipp [email protected] _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
