| 1 |
Hi, |
| 2 |
|
| 3 |
On Sun, 13 Dec 2015 18:38:55 +0100 Patrick Lauer wrote: |
| 4 |
> On 12/13/2015 06:36 PM, Patrick Lauer wrote: |
| 5 |
> > So apparently we're signing things with gpg now |
| 6 |
> |
| 7 |
> And a related question: |
| 8 |
> |
| 9 |
> How would I actually verify the signatures in a meaningful way? |
| 10 |
|
| 11 |
git log --show-signature does this using GnuPG. |
| 12 |
|
| 13 |
Of course, in order to gpg to work one have to mark dev keys as |
| 14 |
trusted, they can be verified using ldap or several public |
| 15 |
keyservers. LDAP is more reliable, of course, but this method works |
| 16 |
only for devs (and probably some stuff members) having an access |
| 17 |
here. |
| 18 |
|
| 19 |
> ... and why is that not default then. |
| 20 |
|
| 21 |
|
| 22 |
Best regards, |
| 23 |
Andrew Savchenko |
Archives