On Tue, Jan 29, 2008 at 04:10:00AM +0000, Shawn O. Pearce wrote: > * PGP public key storage: > > Use a "hidden" ref called "refs/access-keys" to store a commit. > The access control change log is a normal Git commit chain. > > The tree under this commit stores a file per <email> string. > Public keys for auth line validation are located by <email>, > from the tip of this branch. > > This branch could be a symlink to another repository (e.g. > a site-wide "admin" repository) and the ODB for that other > repository could be an alternate for this repository. This won't work well, because I don't think GnuPG is able to check some signature against an armored GPG public Key (at least I didn't found a way to do that). You have to create one pubring per submitter, wich is kind of a waste in fact, and the format is horribly binary. I don't even know if you really need the versionning of this pseudo-keyring, and if a .git/keyring.gpg isn't enough. As a side note, you don't really need to use GIT_PUSH_*. It doesn't make anything safer (as the UIDs of a given public key are public information anyways), you just want to know which key signed that data, and the signature holds that information. Hence if you still want to have a flat-file based keyring (which I repeat I don't think gpg supports directly -- and that's really a shame) you'd better index them per key fingerprint than by author name. And then you just need to call gpg this way: $ gpg --keyring path/to/the/keyring.gpg --quiet --batch --status-fd 1 --verify some-file.tar.gz.gpg 2>|/dev/null [GNUPG:] SIG_ID dw0VliO0DFjOQA3HUSHijYekQYY 2008-01-29 1201633002 [GNUPG:] GOODSIG BC6AFB5BA1EE761C Pierre Habouzit <pierre.habouzit@xxxxxxxxxxxxxxxxx> [GNUPG:] VALIDSIG 72B4C59ADA78D70E055C129EBC6AFB5BA1EE761C 2008-01-29 1201633002 0 3 0 17 2 00 72B4C59ADA78D70E055C129EBC6AFB5BA1EE761C [GNUPG:] TRUST_ULTIMATE And if the key is not in your keyring this looks like: $ GNUPGHOME=/tmp gpg --verify --status-fd 1 some-file.tar.gz.gpg 2>/dev/null [GNUPG:] ERRSIG BC6AFB5BA1EE761C 17 2 00 1201633002 9 [GNUPG:] NO_PUBKEY BC6AFB5BA1EE761C ^^^^^^^^^^^^^^^^ that's the key id you look for. -- ·O· Pierre Habouzit ··O madcoder@xxxxxxxxxx OOO http://www.madism.org
Attachment:
pgpWfHFvmV3hM.pgp
Description: PGP signature