On Tue, Aug 19, 2014 at 03:06:24PM -0700, Junio C Hamano wrote:
> While signed tags and commits assert that the objects thusly signed
> came from you, who signed these objects, there is not a good way to
> assert that you wanted to have a particular object at the tip of a
> particular branch. My signing v2.0.1 tag only means I want to call
> the version v2.0.1, and it does not mean I want to push it out to my
> 'master' branch---it is likely that I only want it in 'maint'.
>
> Introduce a mechanism that allows you to sign a "push certificate"
> (for the lack of better name) every time you push, asserting that
> what object you are pushing to update which ref that used to point
> at what other object. Think of it as a cryptographic protection for
> ref updates, similar to signed tags/commits but working on an
> orthogonal axis.
>
> The basic flow based on this mechanism goes like this:
>
> 1. You push out your work with "git push -s".
You wrote "git push -s", but the command below only seems to understand
--signed, not -s. It should probably be consistent.
> diff --git a/builtin/push.c b/builtin/push.c
> index f50e3d5..ae56f73 100644
> --- a/builtin/push.c
> +++ b/builtin/push.c
> @@ -506,6 +506,7 @@ int cmd_push(int argc, const char **argv, const char *prefix)
> OPT_BIT(0, "no-verify", &flags, N_("bypass pre-push hook"), TRANSPORT_PUSH_NO_HOOK),
> OPT_BIT(0, "follow-tags", &flags, N_("push missing but relevant tags"),
> TRANSPORT_PUSH_FOLLOW_TAGS),
> + OPT_BIT(0, "signed", &flags, N_("GPG sign the push"), TRANSPORT_PUSH_CERT),
> OPT_END()
> };
>
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature