I recently sent this to the gitorious list; I knocked up a working system for this, and it so far seems workable, and it is now topical. Note that the design used by the proof of concept would not be suitable for the upcoming versions of git which do not allow pushing tags to branch refs - they would require calling the tags something like refs/tags/heads/master or some other suitable convention. Probably not even using refs/tags etc, to avoid races. The key idea is to reject pushes if the PGP signature cannot be verified. Connect to this data - http://www.rubin.ch/wotsap/ - and give everyone in the world with a working and well signed PGP key secure push access without them having to set anything up. Of course, you would also want to layer on top of this rules that would force unknown contributors into a "mob"-like namespace. When heads are pushed, the signed tags that are moved from refs/heads/ foo can be saved in an "archive" tag space, such as under refs/audit/ KEYID/ - this will allow, in the case of a network of git servers, for servers to synchronise from each other, even when they don't trust each other. The update hook first verifies the signature, and rejects the signature if not accepted: ------8<------ #!/bin/sh # # An example hook script to require all pushes be signed # ref=$1 sha1_old=$2 sha1_new=$3 if [ -d "$GIT_DIR/keyring" ]; then echo "pgp-git: using repository keyring" >&2 GNUPGHOME=$GIT_DIR/keyring export GNUPGHOME else echo "pgp-git: using default keyring" >&2 fi set -e case $ref in refs/tags/tmp/*) echo "E:Even TRYING that lark makes me ANGRY!" >&2 exit 38 ;; refs/heads/*|refs/tags/*) audit=$(echo "$ref" | sed 's!refs/!refs/tags/tmp/!') tagname=$(echo "$audit" | sed 's!refs/tags!!') git update-ref -m "update hook" \ "$audit" $sha1_new ;; *) echo "E:WHOA! Pushing to $ref?" >&2 exit 1 ;; esac trap "git-tag -d $tagname" ERR git-tag -v "$tagname" ------8<------ And then, the post-update hook will move the tag into the designed place; ------8<------ #!/bin/sh # # An example hook script to prepare a packed repository for use over # dumb transports. # # To enable this hook, make this file executable by "chmod +x post-update". for ref do case "$ref" in refs/heads/*) type=$(git cat-file -t $ref) if [ $type = "tag" ] then echo "pgp-git: removing dummy tag" >&2 git update-ref -m "post-update hook - remove dummy tag" "$ref" "$ref^{commit}" fi ;; *);; esac done git-update-server-info ------8<------ This does force potential contributors to get PGP keys, and get them signed - but that seems to me to be a reasonable barrier of entry and may even help drive some PGP adoption. Remember this is a proof of concept, so let's discuss the design first and not worry too much about the glaring bugs yet. Sam. - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html