Re: [Survey] Signed push
From: Jonathan Nieder <hidden>
Date: 2016-06-15 22:52:02
Nguyen Thai Ngoc Duy wrote:
On Wed, Sep 14, 2011 at 2:45 AM, Junio C Hamano [off-list ref] wrote:
quoted
An alternative that I am considering is to let the requester say this instead: are available in the git repository at: git://git.kernel.org/pub/flobar.git/ 5738c9c21e53356ab5020912116e7f82fd2d428f
[...]
Stupid question, if we agree to go with signed push, can we also sign pull requests and verify them when we pull? I suppose most of the time, pulling can be done automatically by extracting pull url from the request. This would make pull/push both signed. BTW, there's a third way (rsync is obsolete) to carry changes away in human-unreadable way: bundles. Should we also sign the bundles too (I guess we could just do the same as in signed push).
If I understand you correctly, then ordinary PGP email signing[1] should work for that already. In your first example, the receiver can make sure whatever process grabs a pull request verifies it, and in the second example, the receiver checks the signature on her email before saving a bundle and passing it to "git fetch". [1] http://www.phildev.net/pgp/gpgmua.html