| 1 |
On Mon, Aug 10, 2015, at 22:56 CDT, Kent Fredric <kentfredric@×××××.com> wrote: |
| 2 |
|
| 3 |
> So how is GPG verifying "The whole repository" ? |
| 4 |
|
| 5 |
You can verify the state of the repository via |
| 6 |
$ git fsck |
| 7 |
|
| 8 |
after that you can verify that the current HEAD is tagged with a valid |
| 9 |
and singed tag with something like |
| 10 |
|
| 11 |
$ git tag -v `git describe HEAD` |
| 12 |
|
| 13 |
This verifies the integrity of the whole history up to HEAD - at least |
| 14 |
if you consider sha1 to be cryptographically |
| 15 |
|
| 16 |
Best, |
| 17 |
Matthias |
| 18 |
|
| 19 |
|
| 20 |
PS.: I think I was mistaken with respect to individually signed |
| 21 |
commits - the verification seems to be stricter than I thought. |
Archives