Linus Torvalds wrote: > On Sat, 10 Feb 2007, Theodore Tso wrote: >> 3) The git-tag man page talks about GPG signing tags, but it doesn't >> talk about how a GPG-signed tag is validated. Does this happen >> manually or automatically? > > Use "git verify-tag X" to see something like this: > > [torvalds@woody linux]$ git-verify-tag v2.6.17 > gpg: Signature made Sat 17 Jun 2006 06:49:59 PM PDT using DSA key ID 76E21CBB > gpg: Good signature from "Linus Torvalds (tag signing key) <torvalds@xxxxxxxx>" > > but you obviously need to have the public key in question available to > you. One of the solutions, used in git.git repository, is to put public key as a out-of-tree blob using git-hash-object, then tag it using singed tag with instruction about how to extract key in the tag message (tag comment). $ git cat-file -p junio-gpg-pub object 0246401b5d117e01717149c413aa2f8702a83d4f type blob tag junio-gpg-pub tagger Junio C Hamano <junkio@xxxxxxx> Tue Dec 13 16:33:29 2005 -0800 GPG key to sign git.git archive. This blob object contains the GPG public key I use to sign git.git archive. To use it to verify tags I signed, do: $ git-cat-file blob junio-gpg-pub | gpg --import to import it into your keyring, and then $ git-verify-tag $tag_to_be_verified -- Jakub Narebski Warsaw, Poland ShadeHawk on #git - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html