On Fri, Jun 1, 2012 at 11:12 AM, Andreas K. Huettel <dilfri...@gentoo.org> wrote: > Now, does the "signed data" also contain the parent sha? >
So, I was working on a lengthy email which now would be fairly repetitive of what Kent posted. Suffice it to say I managed to rip out a commit from the kde overlay, deflate it, and compared that the signature: -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iQEcBAABCgAGBQJPx+mcAAoJEO+t9ga+3I3aqLoH/0OrRA1+NPRHGfbbLoQrqMwl sB+2It2Pb9LfPjEme+lrQu5WgFY4j7k0qd2ZYdnXM7JdQjsqmpfAMloHh5JN4TAS 4vk8+u2GJCYgzL/SY5XlPl2l8dT91PhQJSN0yVt4Q9TsoN3nzVpFBjACJCy9R6j2 HrXvz/g3+MqY/9VesV8IiVgvQUTVgCdh8zBJ2rVyWAVH0bErsn518aiwEyfzNOxA 1qJxxgGJLMpXp+nI8rnmhqTAAKiNA+byAKAsTEl3LS7OvQZ51aOCwa4A2GLOn2ef 5JmuYQG5/FsS0RfXrqk72PiStTBWa3TakHYrgNXOXlslIR5AIB2tYnXqZcdEqYQ= =fucY -----END PGP SIGNATURE----- does in fact verify for the payload: --start-- tree 7d7f97cded40158d0f580ca6fbe97398d5c867f8 parent 14d7d9cb2219f64c7a715d8da0bbe48a32c9dad8 author Johannes Huber <j...@gentoo.org> 1338501525 +0200 committer Johannes Huber <j...@gentoo.org> 1338501525 +0200 [kde-base/kdelibs] Sync with live. (Portage version: 2.2.0_alpha108/git/Linux i686, unsigned Manifest commit) --end-- Dump those into a text file and run gpg for yourself... The full commit contains the gpg signature in a field as already posted by Kent. And while I appreciate the performance boost and space savings provided by all the compression/packing/etc, I've learned to almost hate those features with a passion this morning... Getting a cloned repo unpacked, and the commit decompressed was a bit pita. The other issue is that the header in the commit file is stripped before it is signed, the actual start of the commit is "commit 830tree..." Rich