Hello all, In considering implementing signing of commits I wanted to ask a couple of questions about how to approach the feature. My first thought after a little discussion on irc is to do something like the following ostree commit --gpg-sign=<key-id> to sign the commit file. I was thinking I'd put the commit signature in a hash.sig next to the hash.commit. Then on the other side, something like this: ostree --repo=blah pull --require-signature will when pulling look for .sig files for each .commit, and not stage the .commit into objects/ unless it verifies against the signature. Does this make sense the way I've described it, any questions or suggestions? thanks, Jeremy
Attachment:
signature.asc
Description: This is a digitally signed message part.