Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
SHI 0d0140ff16 Rename all pirms 3 gadiem
.. Add README for verify-commits pirms 4 gadiem
allow-revsig-commits Add Pieter's old signed commits to revsig-commits pirms 3 gadiem Rename all pirms 3 gadiem Rename all pirms 3 gadiem
trusted-git-root Remove keys that are no longer used for merging pirms 4 gadiem
trusted-keys Allow any subkey in verify-commits pirms 3 gadiem
trusted-sha512-root-commit Update trusted-sha512-root-commit for new bad tree hash pirms 3 gadiem Rename all pirms 3 gadiem

Tooling for verification of PGP signed commits

This is an incomplete work in progress, but currently includes a pre-push hook script ( for maintainers to ensure that their own commits are PGP signed (nearly always merge commits), as well as a script to verify commits against a trusted keys list.

Using safely

Remember that you can’t use an untrusted script to verify itself. This means that checking out code, then running against HEAD is not safe, because the version of that you just ran could be backdoored. Instead, you need to use a trusted version of verify-commits prior to checkout to make sure you’re checking out only code signed by trusted keys:

git fetch origin && \
  ./contrib/verify-commits/ origin/master && \
  git checkout origin/master

Note that the above isn’t a good UI/UX yet, and needs significant improvements to make it more convenient and reduce the chance of errors; pull-reqs improving this process would be much appreciated.