On Mon, May 11, 2009 at 8:53 AM, Nguyen Thai Ngoc Duy <pclouds@xxxxxxxxx> wrote: > On Sat, May 9, 2009 at 5:03 AM, Robin H. Johnson <robbat2@xxxxxxxxxx> wrote: >>> How about signing the tree SHA-1 and putting the signature in commit >>> message? It's like gpg way of saying Signed-off-by. If the committer >>> wants to sign again before pushing out, he could amend the commit, >>> append his signature there; or make a no-change commit to contain his >>> signature (probably from git-commit-tree because iirc git-commit won't >>> let you make no-change commit) >> Hmm, I like the sound of that, but I'm concerned it might be difficult >> to enforce. If rewrite-history ever happens, it's also invalidated. > > Well if you rewrite and touch the trees, then every signature should > be invalidated anyway. If you only touch commit message, it should > remain valid because I only sign trees. I went ahead and made two scripts git-gpg-sign and git-gpg-verify to see if it works. Things that are signed in these scripts: - tree - parents - any other gpg signature You probably don't want to sign the same commit too many times because the signature will get huge. -- Duy
Attachment:
git-gpg-sign
Description: Binary data
Attachment:
git-gpg-verify
Description: Binary data