From: Michael J Gruber <git@drmicha.warpmail.net>
To: Junio C Hamano <gitster@pobox.com>, Jeff King <peff@peff.net>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 3/3] verify-commit: scriptable commit signature verification
Date: Mon, 16 Jun 2014 11:21:38 +0200 [thread overview]
Message-ID: <539EB722.8@drmicha.warpmail.net> (raw)
In-Reply-To: <xmqqbntw4u4d.fsf@gitster.dls.corp.google.com>
Junio C Hamano venit, vidit, dixit 13.06.2014 19:06:
> Jeff King <peff@peff.net> writes:
>
>> I realize this isn't really your itch to scratch. It's just that when I
>> see a description like "verify a commit", I wonder what exactly "verify"
>> means.
>
> I think that is an important point. If a tool only verifies the
> signature of the commit when conceivably other aspect of it could
> also be verified but we cannot decide how or we decide we should not
> dictate one-way-fits-all, using a generic name "verify-commit" or
> "verify" without marking that it is currently only on the signature
> clearly somewhere might close the door to the future.
>
> git verify <object>::
> Verify whatever we currently deem is appropriate for the
> given type of object.
>
> git verify --gpg-signature::
> Verify the GPG signature for a signed tag, a signed commit,
> or a merge with signed tags.
>
> git verify --commit-author <committish>::
> Verify the GPG signer matches the "author " header of the
> commit.
>
> and more, perhaps?
>
So what does that mean? And what does it mean for verify-tag, which does
nothing but checking the return code from gpg, just like the proposed
verify-commit?
As pointed out, strict verification is a matter of policy, very much
like accepting certain ref updates etc. is. Do we want a signature
verification hook?
We currently don't have a scriptable commit signature verification in
the same way we have one for tag signatures. That's the gap that I
wanted to fill in in response to a blog post about commit signatures in
git. But it's not my itch, I don't use signatures.
Michael
next prev parent reply other threads:[~2014-06-16 9:21 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-06 14:15 [PATCH 0/3] verify-commit: verify commit signatures Michael J Gruber
2014-06-06 14:15 ` [PATCH 1/3] pretty: free the gpg status buf Michael J Gruber
2014-06-06 14:15 ` [PATCH 2/3] gpg-interface: provide access to the payload Michael J Gruber
2014-06-13 7:55 ` Jeff King
2014-06-13 9:44 ` Michael J Gruber
2014-06-13 10:34 ` Jeff King
2014-06-06 14:15 ` [PATCH 3/3] verify-commit: scriptable commit signature verification Michael J Gruber
2014-06-11 19:48 ` Michael J Gruber
2014-06-13 8:02 ` Jeff King
2014-06-13 9:55 ` Michael J Gruber
2014-06-13 11:09 ` Jeff King
2014-06-13 17:06 ` Junio C Hamano
2014-06-16 9:21 ` Michael J Gruber [this message]
2014-06-16 19:54 ` Jeff King
2014-06-16 20:34 ` Junio C Hamano
2014-06-16 20:39 ` Jeff King
2014-06-27 12:31 ` Michael J Gruber
2014-06-27 12:49 ` Michael J Gruber
2014-06-27 13:06 ` Michael J Gruber
2014-06-27 13:18 ` [PATCH] log: correctly identify mergetag signature verification status Michael J Gruber
2014-06-28 0:44 ` Jeff King
2014-07-10 22:27 ` Junio C Hamano
2014-06-27 13:50 ` [PATCH 3/3] verify-commit: scriptable commit signature verification Michael J Gruber
2014-06-27 18:55 ` Junio C Hamano
2014-06-27 18:36 ` Junio C Hamano
2014-06-28 0:32 ` Jeff King
2014-06-30 6:14 ` Junio C Hamano
2014-06-13 10:42 ` [PATCHv2 0/6] verify-commit: verify commit signatures Michael J Gruber
2014-06-13 10:42 ` [PATCHv2 1/6] pretty: free the gpg status buf Michael J Gruber
2014-06-13 11:39 ` Jeff King
2014-06-13 10:42 ` [PATCHv2 2/6] gpg-interface: provide access to the payload Michael J Gruber
2014-06-13 10:42 ` [PATCHv2 3/6] verify-commit: scriptable commit signature verification Michael J Gruber
2014-06-13 11:19 ` Jeff King
2014-06-13 11:45 ` Michael J Gruber
2014-06-13 11:50 ` Jeff King
2014-06-13 12:12 ` Michael J Gruber
2014-06-13 10:42 ` [PATCHv2 4/6] t7510: exit for loop with test result Michael J Gruber
2014-06-13 11:46 ` Jeff King
2014-06-13 12:04 ` Michael J Gruber
2014-06-13 12:22 ` Michael J Gruber
2014-06-13 12:33 ` Michael J Gruber
2014-06-13 12:45 ` Jeff King
2014-06-13 12:54 ` Johannes Sixt
2014-06-13 13:06 ` Michael J Gruber
2014-06-13 13:21 ` Johannes Sixt
2014-06-13 13:30 ` Jeff King
2014-06-13 13:31 ` Michael J Gruber
2014-06-13 13:42 ` Johannes Sixt
2014-06-13 18:23 ` Junio C Hamano
2014-06-13 10:42 ` [PATCHv2 5/6] t7510: test verify-commit Michael J Gruber
2014-06-13 11:51 ` Jeff King
2014-06-13 12:14 ` Michael J Gruber
2014-06-13 18:16 ` Junio C Hamano
2014-06-13 10:42 ` [PATCHv2 6/6] gpg-interface: provide clear helper for struct signature_check Michael J Gruber
2014-06-23 7:05 ` [PATCHv3 0/5] verify-commit: verify commit signatures Michael J Gruber
2014-06-23 7:05 ` [PATCHv3 1/5] gpg-interface: provide clear helper for struct signature_check Michael J Gruber
2014-06-23 7:05 ` [PATCHv3 2/5] gpg-interface: provide access to the payload Michael J Gruber
2014-06-23 7:05 ` [PATCHv3 3/5] verify-commit: scriptable commit signature verification Michael J Gruber
2014-06-23 7:05 ` [PATCHv3 4/5] t7510: exit for loop with test result Michael J Gruber
2014-06-23 7:05 ` [PATCHv3 5/5] t7510: test verify-commit Michael J Gruber
2014-06-23 23:02 ` Junio C Hamano
2014-06-23 17:28 ` [PATCHv3 0/5] verify-commit: verify commit signatures Jeff King
2014-06-23 17:52 ` Junio C Hamano
2014-06-23 21:09 ` Jeff King
2014-06-23 21:23 ` Junio C Hamano
2014-06-27 14:13 ` [PATCHv4 0/4] " Michael J Gruber
2014-06-27 14:13 ` [PATCHv4 1/4] gpg-interface: provide clear helper for struct signature_check Michael J Gruber
2014-06-27 14:13 ` [PATCHv4 2/4] gpg-interface: provide access to the payload Michael J Gruber
2014-06-27 14:13 ` [PATCHv4 3/4] verify-commit: scriptable commit signature verification Michael J Gruber
2014-06-27 14:13 ` [PATCHv4 4/4] t7510: test verify-commit Michael J Gruber
2014-06-27 19:32 ` Junio C Hamano
2014-06-27 20:26 ` Michael J Gruber
2014-06-27 19:07 ` [PATCHv4 0/4] verify-commit: verify commit signatures Junio C Hamano
2014-06-28 0:48 ` Jeff King
2014-06-28 0:49 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=539EB722.8@drmicha.warpmail.net \
--to=git@drmicha.warpmail.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).