[tbb-dev] A proposal for signing commits with gpg
Nicolas Vigier
boklm at mars-attacks.org
Tue Apr 28 18:10:41 UTC 2020
On Tue, 28 Apr 2020, Santiago Torres-Arias wrote:
> > We also do something similar to pacman when verifying git tag
> > signatures:
> > https://gitweb.torproject.org/builders/rbm.git/commit/?id=e04f03f9626e993bb66d7784d258f95ca07bc769
> >
>
> Cool!
>
> > However for the cases where we don't use a tag (in nightly builds), it
> > sounds like push certificates could be useful to check that the commit
> > we are using was intended for the branch we use. Is it something that
> > we can do with push certificates?
>
> Yes, definitely! I can sketch something out to stir discussion. Would
> that be desirable? :)
That sounds interesting to me. It looks like an improvement we can add
after we start using signed commits.
Maybe that is something that can be added in rbm as a new option to
check the branch from push certificates.
Nicolas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20200428/569446e2/attachment.sig>
More information about the tbb-dev
mailing list