File tree Expand file tree Collapse file tree 1 file changed +26
-0
lines changed
Expand file tree Collapse file tree 1 file changed +26
-0
lines changed Original file line number Diff line number Diff line change 1+ Tooling for verification of PGP signed commits
2+ ----------------------------------------------
3+
4+ This is an incomplete work in progress, but currently includes a pre-push hook
5+ script (` pre-push-hook.sh ` ) for maintainers to ensure that their own commits
6+ are PGP signed (nearly always merge commits), as well as a script to verify
7+ commits against a trusted keys list.
8+
9+
10+ Using verify-commits.sh safely
11+ ------------------------------
12+
13+ Remember that you can't use an untrusted script to verify itself. This means
14+ that checking out code, then running ` verify-commits.sh ` against ` HEAD ` is
15+ _ not_ safe, because the version of ` verify-commits.sh ` that you just ran could
16+ be backdoored. Instead, you need to use a trusted version of verify-commits
17+ prior to checkout to make sure you're checking out only code signed by trusted
18+ keys:
19+
20+ git fetch origin && \
21+ ./contrib/verify-commits/verify-commits.sh origin/master && \
22+ git checkout origin/master
23+
24+ Note that the above isn't a good UI/UX yet, and needs significant improvements
25+ to make it more convenient and reduce the chance of errors; pull-reqs
26+ improving this process would be much appreciated.
You can’t perform that action at this time.
0 commit comments