On Tue, Aug 19, 2014 at 03:06:24PM -0700, Junio C Hamano wrote: > While signed tags and commits assert that the objects thusly signed > came from you, who signed these objects, there is not a good way to > assert that you wanted to have a particular object at the tip of a > particular branch. My signing v2.0.1 tag only means I want to call > the version v2.0.1, and it does not mean I want to push it out to my > 'master' branch---it is likely that I only want it in 'maint'. > > Introduce a mechanism that allows you to sign a "push certificate" > (for the lack of better name) every time you push, asserting that > what object you are pushing to update which ref that used to point > at what other object. Think of it as a cryptographic protection for > ref updates, similar to signed tags/commits but working on an > orthogonal axis. > > The basic flow based on this mechanism goes like this: > > 1. You push out your work with "git push -s".
You wrote "git push -s", but the command below only seems to understand --signed, not -s. It should probably be consistent. > diff --git a/builtin/push.c b/builtin/push.c > index f50e3d5..ae56f73 100644 > --- a/builtin/push.c > +++ b/builtin/push.c > @@ -506,6 +506,7 @@ int cmd_push(int argc, const char **argv, const char > *prefix) > OPT_BIT(0, "no-verify", &flags, N_("bypass pre-push hook"), > TRANSPORT_PUSH_NO_HOOK), > OPT_BIT(0, "follow-tags", &flags, N_("push missing but relevant > tags"), > TRANSPORT_PUSH_FOLLOW_TAGS), > + OPT_BIT(0, "signed", &flags, N_("GPG sign the push"), > TRANSPORT_PUSH_CERT), > OPT_END() > }; > -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Description: Digital signature