On Tue, Aug 19, 2014 at 03:06:24PM -0700, Junio C Hamano wrote:
> While signed tags and commits assert that the objects thusly signed
> came from you, who signed these objects, there is not a good way to
> assert that you wanted to have a particular object at the tip of a
> particular branch.  My signing v2.0.1 tag only means I want to call
> the version v2.0.1, and it does not mean I want to push it out to my
> 'master' branch---it is likely that I only want it in 'maint'.
> Introduce a mechanism that allows you to sign a "push certificate"
> (for the lack of better name) every time you push, asserting that
> what object you are pushing to update which ref that used to point
> at what other object.  Think of it as a cryptographic protection for
> ref updates, similar to signed tags/commits but working on an
> orthogonal axis.
> The basic flow based on this mechanism goes like this:
>  1. You push out your work with "git push -s".

You wrote "git push -s", but the command below only seems to understand
--signed, not -s.  It should probably be consistent.

> diff --git a/builtin/push.c b/builtin/push.c
> index f50e3d5..ae56f73 100644
> --- a/builtin/push.c
> +++ b/builtin/push.c
> @@ -506,6 +506,7 @@ int cmd_push(int argc, const char **argv, const char 
> *prefix)
>               OPT_BIT(0, "no-verify", &flags, N_("bypass pre-push hook"), 
>               OPT_BIT(0, "follow-tags", &flags, N_("push missing but relevant 
> tags"),
>                       TRANSPORT_PUSH_FOLLOW_TAGS),
> +             OPT_BIT(0, "signed", &flags, N_("GPG sign the push"), 
>               OPT_END()
>       };
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply via email to