[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Additional GPG key needed when verifying git-authenticate
|
From: |
Amin Bandali |
|
Subject: |
Additional GPG key needed when verifying git-authenticate |
|
Date: |
Sat, 28 Mar 2020 20:29:41 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
Hello Guix,
I'll get right to the point: I goofed up earlier tonight, and pushed to
master a commit [0] modifying build-aux/git-authenticate.scm. Since
we're all to sign our commits, as a result, in addition to Ludo’s key
you now need to add my GPG key to your keyring as well, before invoking
git-verify-commit on that file as shown in the manual.
[0]:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=c2cf286c62933d2806ae17b8287520820bf87c7e
Backstory: as I myself had not yet started using git-authenticate, I had
not read the bit about it in the manual. And it did not occur to me to
do a git-blame or git-log on the file before committing to it, in order
for me to notice that until that point only Ludo’ had committed to it.
Chatting with Ludo’ and others in #guix, it seems that it's not too far
fetched for committers to update their own keys and information in the
git-authenticate script, and I just happened to be the first person
walking into it. :-)
As such, the manual will be updated to clarify that keys other than
Ludo’s have been used to sign commits to build-aux/git-authenticate.scm,
and folks looking to verify and use the script need to fetch them from
the respective committers' Savannah profile in addition to Ludo’s key.
fishyfriend on #guix kindly volunteered to send a patch clarifying this.
For those looking to fetch my GPG key in order to verify the legitimacy
of my commit(s) to git-authenticate, you can get a copy of my key from
my Savannah profile [1]; or since I happen to be a GNU maintainer, from
the GNU maintainers keyring [2]. The key is the same one I have used to
sign my previous commits to guix.git with, and the one I have signed my
messages to this list with, including this very message, with primary
fingerprint BE62 7373 8E61 6D6D 1B3A 08E8 A21A 0202 4881 6103, and
signing subkey 39B3 3C8D 9448 0D2D DCC2 A498 8B44 A0CD C7B9 56F2.
[1]: https://savannah.gnu.org/users/bandali
[2]: https://ftp.gnu.org/gnu/gnu-keyring.gpg
Sorry for any inconvenience or confusion this may have caused.
Best,
amin
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Additional GPG key needed when verifying git-authenticate,
Amin Bandali <=