Junio C Hamano venit, vidit, dixit 13.06.2014 19:06: > Jeff King <peff@xxxxxxxx> writes: > >> I realize this isn't really your itch to scratch. It's just that when I >> see a description like "verify a commit", I wonder what exactly "verify" >> means. > > I think that is an important point. If a tool only verifies the > signature of the commit when conceivably other aspect of it could > also be verified but we cannot decide how or we decide we should not > dictate one-way-fits-all, using a generic name "verify-commit" or > "verify" without marking that it is currently only on the signature > clearly somewhere might close the door to the future. > > git verify <object>:: > Verify whatever we currently deem is appropriate for the > given type of object. > > git verify --gpg-signature:: > Verify the GPG signature for a signed tag, a signed commit, > or a merge with signed tags. > > git verify --commit-author <committish>:: > Verify the GPG signer matches the "author " header of the > commit. > > and more, perhaps? > So what does that mean? And what does it mean for verify-tag, which does nothing but checking the return code from gpg, just like the proposed verify-commit? As pointed out, strict verification is a matter of policy, very much like accepting certain ref updates etc. is. Do we want a signature verification hook? We currently don't have a scriptable commit signature verification in the same way we have one for tag signatures. That's the gap that I wanted to fill in in response to a blog post about commit signatures in git. But it's not my itch, I don't use signatures. Michael -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html