Thanks, Junio, for the tutorial! I had tried to lookup the key, but failed to put the ‘0x’ at the head. I was actually verifying the signature on a tarball release. Just curious, how do I know the key in the database really belongs to you? It’s has your name and email, but what’s to keep an imposter from creating a key with your name on it and posting it to the database? I guess all the signatories on your key are others vouching for your key? Thanks again for the reply. Oh, and thanks for git! Cheers, Jamie > On Dec 8, 2015, at 5:49 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote: > > Jamie Evans <jamie@xxxxxxxxxxxxxx> writes: > >> Can you please point me to the public GPG keys used for source code signing? > > I suspect that you are asking about our project, but instead of > throwing you a fish, I'll show you how to catch one yourself. > > In a copy of linux kernel repository I have lying around from a > random past, I did this: > > $ git log --show-signature > > and saw something like this: > > commit c6fa8e6de3dc420cba092bf155b2ed25bcd537f7 > merged tag 'arm64-fixes' > gpg: Signature made Wed 07 Oct 2015 03:10:34 AM PDT using RSA key ID 84C16334 > gpg: Can't check signature: public key not found > Merge: e82fa92 62c6c61 > Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Date: Wed Oct 7 18:17:46 2015 +0100 > > Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/li... > > I do not have the public key with key ID 84C16334, but I can ask > public keyservers. Put 0x84C16334 in "Search String" in pgp.mit.edu > and click "Do the search!"--it would result in the key that was used > to sign the merge request that resulted in this merge. > > I also can do this: > > $ git tag -v v3.0 > > and I would see something like: > > object 02f8c6aee8df3cdc935e9bdd4f2d020306035dbe > type commit > tag v3.0 > tagger Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> 1311301049 -0700 > > Linux 3.0 > > w00t! > gpg: Signature made Thu 21 Jul 2011 07:17:44 PM PDT using DSA key ID 76E21CBB > gpg: Good signature from "Linus Torvalds (tag signing key) <torvalds@xxxxxxxx>" > ... > > to find that Linus's tag signing key has ID 0x76E21CBB (I do have > his key in my keyring, so this does not say "Can't check"). > > Perhaps you can do the same to whatever project you are interested > in. For example, here is a starting point to do the same for our > recent v2.6.4 tag: > > $ git tag -v v2.6.4 > gpg: Signature made Tue 08 Dec 2015 02:12:50 PM PST using RSA key ID 96AFE6CB > gpg: Can't check signature: public key not found > error: could not verify the tag 'v2.6.4' > -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html