You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long. 1.1KB

  1. Tooling for verification of PGP signed commits
  2. ----------------------------------------------
  3. This is an incomplete work in progress, but currently includes a pre-push hook
  4. script (``) for maintainers to ensure that their own commits
  5. are PGP signed (nearly always merge commits), as well as a script to verify
  6. commits against a trusted keys list.
  7. Using safely
  8. ------------------------------
  9. Remember that you can't use an untrusted script to verify itself. This means
  10. that checking out code, then running `` against `HEAD` is
  11. _not_ safe, because the version of `` that you just ran could
  12. be backdoored. Instead, you need to use a trusted version of verify-commits
  13. prior to checkout to make sure you're checking out only code signed by trusted
  14. keys:
  15. git fetch origin && \
  16. ./contrib/verify-commits/ origin/master && \
  17. git checkout origin/master
  18. Note that the above isn't a good UI/UX yet, and needs significant improvements
  19. to make it more convenient and reduce the chance of errors; pull-reqs
  20. improving this process would be much appreciated.