On Fri, Jun 06, 2014 at 04:15:28PM +0200, Michael J Gruber wrote:

> Commit signatures can be verified using "git show -s --show-signature"
> or the "%G?" pretty format and parsing the output, which is well suited
> for user inspection, but not for scripting.
> Provide a command "verify-commit" which is analogous to "verify-tag": It
> returns 0 for good signatures and non-zero otherwise, has the gpg output
> on stderr and (optionally) the commit object on stdout, sans the
> signature, just like "verify-tag" does.
> Signed-off-by: Michael J Gruber <g...@drmicha.warpmail.net>

I think the general direction of this series is reasonable.

Did you give any thought to just having a "git verify" command, instead
of separate tag/verify commands?

Another thought, that may be orthogonal to your series: what does it
mean to verify a commit? We check for _some_ signature from a key that
is in your keyring. But we do not check whether the signature matches
the committer field (or for tags, the tagger field). You have to parse
the gpg output, run "git cat-file", and then correlate the two. Should
there be an option to have git check that one of the signed uids from
gpg matches the commit's committer?

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to