On Wed, Aug 01, 2018 at 12:19:42AM +0000, brian m. carlson wrote:
> On Tue, Jul 31, 2018 at 10:05:22PM +0200, Vojtech Myslivec wrote:
> > Hello,
> > 
> > me and my colleague are struggling with automation of verifying git
> > repositories and we have encountered that git verify-commit and
> > verify-tag accepts untrusted signatures and exit successfully.
> 
> I don't have strong feelings on your change one way or the other, but
> for automation it may be useful to use the --raw flag, which gives you
> the raw gpg output and much greater control.  For example, you can
> require that a subkey is or is not used or require certain algorithms.
> 
> I will say that most signatures are untrusted in my experience, so
> unless people are using TOFU mode or making local signatures, git will
> exit nonzero for most signatures.  I think the current status is to exit
> on a good signature, even if it isn't necessarily a valid signature.
> 
> I'm interested to hear others' thoughts on this.

I'd find it odd that we deviate from the gpg behavior, that returns 0
when verifyng an untrusted signatures. Tooling around gpg is generally
difficult for this reason, but using the raw output should be enough to
discard signatures with untrusted keys.

Another alternative is to use a keyring with trusted keys *only* and
disable fetching keys from hkp servers. This way signature verification
should fail.

Thanks,
-Santiago.

> -- 
> brian m. carlson: Houston, Texas, US
> OpenPGP: https://keybase.io/bk2204