Web lists-archives.com

[ANNOUNCE] git-sign, simple scripts to generate and verify securely signed Git checkouts


Mostly as a proof of concept, I've created two scripts to sign and
verify Git checkouts (I'm saying checkouts since it (both for
simplicity, and probably trust) is based on the working directory
contents, not the tree referred to by the signed commit). Like some
other such solutions, this adds secure hashes to the signed tag
message. There are two drawbacks and one advantage versus other

- meant for small repositories only (each file in the repository takes
up a line in the tag message)
- relatively hacky, e.g. newlines in file names may be problematic,
doesn't currently use gpg's --status-fd or --with-colons, and doesn't
check git config
+ easily verifiable scripts, checking can even be done manually (hence
no need for casual users to (blindly) trust third party code)