Junio C Hamano venit, vidit, dixit 13.06.2014 19:06:
> Jeff King <p...@peff.net> writes:
>> I realize this isn't really your itch to scratch. It's just that when I
>> see a description like "verify a commit", I wonder what exactly "verify"
>> means.
> I think that is an important point.  If a tool only verifies the
> signature of the commit when conceivably other aspect of it could
> also be verified but we cannot decide how or we decide we should not
> dictate one-way-fits-all, using a generic name "verify-commit" or
> "verify" without marking that it is currently only on the signature
> clearly somewhere might close the door to the future.
>     git verify <object>::
>         Verify whatever we currently deem is appropriate for the
>         given type of object.
>     git verify --gpg-signature::
>       Verify the GPG signature for a signed tag, a signed commit,
>         or a merge with signed tags.
>     git verify --commit-author <committish>::
>       Verify the GPG signer matches the "author " header of the
>       commit.
> and more, perhaps?

So what does that mean? And what does it mean for verify-tag, which does
nothing but checking the return code from gpg, just like the proposed

As pointed out, strict verification is a matter of policy, very much
like accepting certain ref updates etc. is. Do we want a signature
verification hook?

We currently don't have a scriptable commit signature verification in
the same way we have one for tag signatures. That's the gap that I
wanted to fill in in response to a blog post about commit signatures in
git. But it's not my itch, I don't use signatures.

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to