You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.md 1.1KB

1234567891011121314151617181920212223242526
  1. Tooling for verification of PGP signed commits
  2. ----------------------------------------------
  3. This is an incomplete work in progress, but currently includes a pre-push hook
  4. script (`pre-push-hook.sh`) for maintainers to ensure that their own commits
  5. are PGP signed (nearly always merge commits), as well as a script to verify
  6. commits against a trusted keys list.
  7. Using verify-commits.sh safely
  8. ------------------------------
  9. Remember that you can't use an untrusted script to verify itself. This means
  10. that checking out code, then running `verify-commits.sh` against `HEAD` is
  11. _not_ safe, because the version of `verify-commits.sh` that you just ran could
  12. be backdoored. Instead, you need to use a trusted version of verify-commits
  13. prior to checkout to make sure you're checking out only code signed by trusted
  14. keys:
  15. git fetch origin && \
  16. ./contrib/verify-commits/verify-commits.sh origin/master && \
  17. git checkout origin/master
  18. Note that the above isn't a good UI/UX yet, and needs significant improvements
  19. to make it more convenient and reduce the chance of errors; pull-reqs
  20. improving this process would be much appreciated.