[tbb-dev] A proposal for signing commits with gpg

Santiago Torres-Arias santiago at archlinux.org
Tue Apr 28 17:33:47 UTC 2020


> We also do something similar to pacman when verifying git tag
> signatures:
> https://gitweb.torproject.org/builders/rbm.git/commit/?id=e04f03f9626e993bb66d7784d258f95ca07bc769
> 

Cool!

> However for the cases where we don't use a tag (in nightly builds), it
> sounds like push certificates could be useful to check that the commit
> we are using was intended for the branch we use. Is it something that
> we can do with push certificates?

Yes, definitely! I can sketch something out to stir discussion. Would
that be desirable? :)

Cheers!
-Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20200428/d36a2851/attachment.sig>


More information about the tbb-dev mailing list