For what it's worth, I submitted a patch a while back to add S/MIME
support to Fossil's signature scheme. I still apply this patch to Fossil
when I use it. S/MIME uses PKI and is primarily used for non-repdudiation
or encryption in email (every major email client supports it out of the
box). PKI is also used for HTTPS.
On Thu, 21 Dec 2017, Richard Hipp wrote:
On 12/21/17, jungle Boogie <jungleboog...@gmail.com> wrote:
How are the signatures verified?
Signatures are not verified, at the moment.
Probably each repository would have a set of trusted public keys.
Then as each check-in is received via push (or during a rebuild) those
with signatures have the signatures verified using the set of trusted
keys. Those for which the keys are unknown get marked as signed but
unverified.
The signatures are currently generated by running gpg in a separate
process. I suppose the verification step could do something similar.
Hey - I suppose there is a fourth state: (4) Forgery: The signature
does not match.
--
D. Richard Hipp
d...@sqlite.org
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
