On Mon, Aug 10, 2015, at 22:56 CDT, Kent Fredric <[email protected]> wrote:
> So how is GPG verifying "The whole repository" ? You can verify the state of the repository via $ git fsck after that you can verify that the current HEAD is tagged with a valid and singed tag with something like $ git tag -v `git describe HEAD` This verifies the integrity of the whole history up to HEAD - at least if you consider sha1 to be cryptographically Best, Matthias PS.: I think I was mistaken with respect to individually signed commits - the verification seems to be stricter than I thought.
