On 21 December 2017 at 14:16, Richard Hipp <d...@sqlite.org> wrote: > On 12/21/17, jungle Boogie <jungleboog...@gmail.com> wrote: >> >> How are the signatures verified? > > Signatures are not verified, at the moment. > > Probably each repository would have a set of trusted public keys. > Then as each check-in is received via push (or during a rebuild) those > with signatures have the signatures verified using the set of trusted > keys. Those for which the keys are unknown get marked as signed but > unverified. >
Gotcha. I was assuming this was already implemented and I missed a feature like this. I like the idea of the repo keeping track of the keys, rather than a key server _in this instance_. Fossil, while distributed, can work where's there's no internet. If that's the case, keys wouldn't be verified. > The signatures are currently generated by running gpg in a separate > process. I suppose the verification step could do something similar. > > Hey - I suppose there is a fourth state: (4) Forgery: The signature > does not match. I like SDR's response! > -- > D. Richard Hipp > d...@sqlite.org -- ------- inum: 883510009027723 sip: jungleboo...@sip2sip.info _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
