rebase has no --verify-signatures

rebase has no --verify-signatures

[Alexander 'z33ky' Hirsch]

Hi,

The git merge command has a --verify-signatures flag, which, when set, checks that the commits to be merged have trusted GPG signatures. git pull also knows this flag and forwards it to the merge command.

However, doing a git pull --rebase --verify-signatures silently ignores it, since rebase has no --verify-signatures flag.

Is there any technical reason why rebase should not have a --verify-signatures flag? I have written a patch to git-rebase--am which enables it to do such a check. If there is no reason not to include it I'd add documentation and a test and submit it.

Otherwise I think git pull should warn, or even die with an error, if both --rebase and --verify-signatures are passed.

Regards,
Alexander Hirsch

Re: rebase has no --verify-signatures

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 908 bytes --]

On Mon, Dec 07, 2015 at 03:00:15PM +0100, Alexander 'z33ky' Hirsch wrote:
> Is there any technical reason why rebase should not have a
> --verify-signatures flag? I have written a patch to git-rebase--am
> which enables it to do such a check. If there is no reason not to
> include it I'd add documentation and a test and submit it.

As far as I know, there is no technical reason that it shouldn't.  It's
probably that nobody has implemented it yet.  I'd certainly be
interested in such a patch.

For a thorough change, you'd probably want to make it work with
git-rebase--merge and git-rebase--interactive as well.  I'm sure I'm not
the only person who frequently uses rebase -m.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 835 bytes --]

Re: rebase has no --verify-signatures

[Alexander 'z33ky' Hirsch]

On Tue, Dec 08, 2015 at 01:21:25AM +0000, brian m. carlson wrote:
> On Mon, Dec 07, 2015 at 03:00:15PM +0100, Alexander 'z33ky' Hirsch wrote:
> > Is there any technical reason why rebase should not have a
> > --verify-signatures flag? I have written a patch to git-rebase--am
> > which enables it to do such a check. If there is no reason not to
> > include it I'd add documentation and a test and submit it.
> 
> As far as I know, there is no technical reason that it shouldn't.  It's
> probably that nobody has implemented it yet.  I'd certainly be
> interested in such a patch.
> 
> For a thorough change, you'd probably want to make it work with
> git-rebase--merge and git-rebase--interactive as well.  I'm sure I'm not
> the only person who frequently uses rebase -m.

Ah, rebase -m. That sounds nice, I didn't know about this feature.
In fact, I first tried to write the code in git-rebase--merge, thinking this is the default rebase script.

git-rebase--interactive sounds a bit more difficult since you could easily modify commits, thereby removing previously GPG signed commits. Although this sounds like all the more reason why it would be useful to check for it.

I'll look at the script and ponder about it. I'll post whatever I come up with on Thursday (probably) or Friday.
I'll put you in the CC when I post the patch.

Regards,
Alexander Hirsch