Changes between Version 2 and Version 3 of VerifyingSignatures


Ignore:
Timestamp:
Mar 14, 2011 6:20:22 PM (2 years ago)
Author:
joanna
Comment:

Remove incorrect git script for auto commit verification (it didn't ensure we verify the latest commit), plus some minor edits.

Legend:

Unmodified
Added
Removed
Modified

  • VerifyingSignatures

    v2 v3  
    9494== Verifying Qubes code == 
    9595 
    96 To verify signed git tag, you can use: 
     96Developers who fetch code from our Git server should always verify tags on the latest commit. Any commits that are not followed by a signed tag should not be trusted! 
     97 
     98To verify a signature on a git tag, you can use: 
    9799{{{ 
    98100$ git tag -v <tag name> 
    99101}}} 
    100  
    101 You can also set git alias to automatically pull latest tag and verify its signature: 
    102 {{{ 
    103 $ git config --global alias.vpull '!f() { tag=`git ls-remote $@ |tail -2 |head -1 |cut -d/ -f 3-`; git pull $@ tag $tag; git tag -v $tag; }; f' 
    104 }}} 
    105  
    106 then use: 
    107 {{{ 
    108 $ git vpull git://git.qubes-os.org/mainstream/core.git 
    109 Already up-to-date. 
    110 object 80826329a71c693fcd08544458b9d6219ca5b28c 
    111 type commit 
    112 tag v1.3.16-dom0 
    113 tagger Joanna Rutkowska <joanna@invisiblethingslab.com> 1290384222 +0100 
    114  
    115 v1.3.16-dom0 
    116 gpg: Signature made Mon 22 Nov 2010 01:03:50 CET using RSA key ID C37BB66B 
    117 gpg: Good signature from "Joanna Rutkowska (Qubes OS signing key) <joanna@invisiblethingslab.com>" 
    118 }}} 
    119