Re: Git-commits mailing list feed.
From: Jan Harkes
Date: Sat Apr 23 2005 - 13:36:45 EST
On Sat, Apr 23, 2005 at 10:31:28AM -0700, Linus Torvalds wrote:
> In other words, I actually want to create "tag objects", the same way we
> have "commit objects". A tag object points to a commit object, but in
> addition it contains the tag name _and_ the digital signature of whoever
> created the tag.
I see how we can use such a tag object to find a specific commit object
in the tree. But if you put the tag objects in the tree as well we now
have to figure out a way to find the tag objects.
Why not keep the tags object outside of the tree in the tags/ directory.
That way it is easy to find them, and simple to validate all tags or
update the signatures if you lost your key.
> properly. Oh, and make sure the above sounds sane (ie if somebody has a
> better idea for how to more easily identify how to find the public key to
> check against, please speak up).
Others already mentioned the gpg clearsign and verify options, to find a
public key that you haven't seen before it is probably easiest to use a
keyserver. If verify complains that it doesn't know a key it will print
a key-id that identifies it. That id can then be looked up as follows,
gpg --keyserver wwwkeys.pgp.net --search-keys 0xA86B35C5
gpg: searching for "0xA86B35C5" from hkp server wwwkeys.pgp.net
(1) Linus Torvalds <Linus.Torvalds@xxxxxxxxxxx>
1024 bit RSA key A86B35C5, created: 1996-06-08
Keys 1-1 of 1 for "0xA86B35C5". Enter number(s), N)ext, or Q)uit > q
Ofcourse trusting a key obtained this way is another thing altogether,
and would probably depend on who signed it and such.
Jan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/