Re: signing commits

From: Colin Walters <walters verbum org>
To: Jeremy Whiting <jeremy whiting collabora com>
Cc: ostree-list gnome org
Subject: Re: signing commits
Date: Fri, 30 Aug 2013 06:55:56 -0400

On Thu, 2013-08-29 at 13:31 -0600, Jeremy Whiting wrote:

I think adding gpg signing of the commit itself inside ostree (but as a 
separate file) makes more sense than adding an --exec argument. My plan is to 
add it as an optional dependency on libgpgme and have it create a detached 
signature so we'll have hash.commit and hash.sig next to each other (and 
incidentally hash.sizes soon also from what I saw in vivek's branch).


That's fine.  The hard part to figure out is what configuration knobs
need to be available on the client.  

Basically what Sjoerd said; I think we need to ship a trusted
keyring.  /etc/pki/ostree-gpg/keyring ?

rpm has the model where it prompts you to import them, but...that's
crazy ;)

References:
- signing commits
  - From: Jeremy Whiting
- Re: signing commits
  - From: Colin Walters
- Re: signing commits
  - From: Jeremy Whiting

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]