It struck me a while back when I fetched a new tagged release from git.git that if I wanted to verify the tag's signature, I'd have to issue another command to do so. Shouldn't git be able to do that for me automatically, when it fetches signed tags? Now it does. Also, 'git remote update' gets this for free. Individual commit messages explain things reasonably well, I hope; here are a few points for discussion: -Is refactoring builtin-verify-tag.c the right thing to do? -Now that the SIGPIPE ignoring is occurring at a lower level, should it be removed from cmd_verify_tag? -Output format: good, bad, ugly? -What to do if a tag is found to have a bad signature? Deskin Miller (4): Refactor builtin-verify-tag.c verify-tag.c: ignore SIGPIPE around gpg invocation verify-tag.c: suppress gpg output if asked Make git fetch verify signed tags Makefile | 2 + builtin-fetch.c | 25 +++++++++++---- builtin-verify-tag.c | 61 ++---------------------------------- t/t7004-tag.sh | 37 ++++++++++++++++++++++ verify-tag.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++ verify-tag.h | 10 ++++++ 6 files changed, 155 insertions(+), 64 deletions(-) create mode 100644 verify-tag.c create mode 100644 verify-tag.h -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
