On Tue, Aug 19, 2014 at 03:06:24PM -0700, Junio C Hamano wrote: > While signed tags and commits assert that the objects thusly signed > came from you, who signed these objects, there is not a good way to > assert that you wanted to have a particular object at the tip of a > particular branch. My signing v2.0.1 tag only means I want to call > the version v2.0.1, and it does not mean I want to push it out to my > 'master' branch---it is likely that I only want it in 'maint'. > > Introduce a mechanism that allows you to sign a "push certificate" > (for the lack of better name) every time you push, asserting that > what object you are pushing to update which ref that used to point > at what other object. Think of it as a cryptographic protection for > ref updates, similar to signed tags/commits but working on an > orthogonal axis. > > The basic flow based on this mechanism goes like this: > > 1. You push out your work with "git push -s".
You wrote "git push -s", but the command below only seems to understand
--signed, not -s. It should probably be consistent.
> diff --git a/builtin/push.c b/builtin/push.c
> index f50e3d5..ae56f73 100644
> --- a/builtin/push.c
> +++ b/builtin/push.c
> @@ -506,6 +506,7 @@ int cmd_push(int argc, const char **argv, const char
> *prefix)
> OPT_BIT(0, "no-verify", &flags, N_("bypass pre-push hook"),
> TRANSPORT_PUSH_NO_HOOK),
> OPT_BIT(0, "follow-tags", &flags, N_("push missing but relevant
> tags"),
> TRANSPORT_PUSH_FOLLOW_TAGS),
> + OPT_BIT(0, "signed", &flags, N_("GPG sign the push"),
> TRANSPORT_PUSH_CERT),
> OPT_END()
> };
>
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature
