1 |
On Mon, Aug 10, 2015, at 22:56 CDT, Kent Fredric <kentfredric@×××××.com> wrote: |
2 |
|
3 |
> So how is GPG verifying "The whole repository" ? |
4 |
|
5 |
You can verify the state of the repository via |
6 |
$ git fsck |
7 |
|
8 |
after that you can verify that the current HEAD is tagged with a valid |
9 |
and singed tag with something like |
10 |
|
11 |
$ git tag -v `git describe HEAD` |
12 |
|
13 |
This verifies the integrity of the whole history up to HEAD - at least |
14 |
if you consider sha1 to be cryptographically |
15 |
|
16 |
Best, |
17 |
Matthias |
18 |
|
19 |
|
20 |
PS.: I think I was mistaken with respect to individually signed |
21 |
commits - the verification seems to be stricter than I thought. |