2013/2/14 Junio C Hamano <gitster@xxxxxxxxx>: > > - The "right" one you mention for %GS is easier than you might > think. If you just verify against the accompanying "tagger" > identity, that should be sufficient. It of course cannot be > generally solved, as you could tag as person A while signing > with key for person B, but a simple social convention would > help us out there: if you tag as Mariusz Gronczewski, your > signature should also say so. unless there is someone else with same name, which happens more often (so far i've seen it happen twice) than same GPG IDs. It's all fine if you just have one keyring that you can use to validate against all repos but when there are multiple projects each with different persons responsible for deploying it can get messy ;]. my use-case is basically "allow only commits signed by person X Y or Z to be deployed on production" and "allow only persons A, B, C, X, Y, Z to commit", while latter case can be solved by software like gitolite, credential validation is messy at best as you have to validate: - ssh key - if ssh key owner matches commiter name - if commiter name =! author name, if a given person can do that (project architect or some other person accepting patches) or can't and I'm trying to implement GPG signing so if someone does something malicious i can say "OK that commit was signed by your key ID, why you did it?" -- Mariusz Gronczewski (XANi) <xani666@xxxxxxxxx> GnuPG: 0xEA8ACE64 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html