On Mon, Nov 24, 2008 at 11:44:40AM +0100, Johannes Schindelin wrote: > Hi, > > On Sun, 23 Nov 2008, Deskin Miller wrote: > > > When git fetch downloads signed tag objects, make it verify them right > > then. This extends the output summary of fetch to include "(good > > signature)" for valid tags and "(BAD SIGNATURE)" for invalid tags. If > > the user does not have the correct key in the gpg keyring, gpg returns > > 2, verify_tag_sha1 returns -2 and nothing additional is output about the > > tag's validity. > > This must be turned off by default, IMO. You cannot expect each and every > developer to have gpg _and_ all those public keys installed. Adding a configuration variable to control this makes sense, and is on my TODO list for v2 (core.autoVerifyTags?). However, I don't see a compelling reason to make it off by default, as if gpg isn't found, or a particular public key isn't in the keyring, the output is no different from what fetch prints now. Deskin Miller -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
