* [ANNOUNCE] git-sign, simple scripts to generate and verify securely signed Git checkouts
@ 2017-03-13 14:22 Christian Jaeger
0 siblings, 0 replies; only message in thread
From: Christian Jaeger @ 2017-03-13 14:22 UTC (permalink / raw)
To: git
Hi
Mostly as a proof of concept, I've created two scripts to sign and
verify Git checkouts (I'm saying checkouts since it (both for
simplicity, and probably trust) is based on the working directory
contents, not the tree referred to by the signed commit). Like some
other such solutions, this adds secure hashes to the signed tag
message. There are two drawbacks and one advantage versus other
solutions:
- meant for small repositories only (each file in the repository takes
up a line in the tag message)
- relatively hacky, e.g. newlines in file names may be problematic,
doesn't currently use gpg's --status-fd or --with-colons, and doesn't
check git config
+ easily verifiable scripts, checking can even be done manually (hence
no need for casual users to (blindly) trust third party code)
https://github.com/pflanze/git-sign
Christian.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-03-13 14:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-13 14:22 [ANNOUNCE] git-sign, simple scripts to generate and verify securely signed Git checkouts Christian Jaeger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).