On Wed, 18 Feb 2015 11:52, js-gnupg-us...@webkeks.org said: > I do verify the fingerprint, and they are quite easy to find actually: > > https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/ > > First Google match for "GitHub SSH fingerprint".
Using a search engine to find important information is not very user friendly. The host keys should be linked from the root page. But in this regard this is not different than any root CA - most make it really hard to find the fingerprint and the support lines sometimes don't even known why one what to check this. > Makefile / PKGBUILD / however it is called that is then verified. So I > guess you can't easily map that to "Only x% of users check the > downloaded tarball". I guess it's a lot more, it's just not all check > it using the .sig. Sure I can. If there are 1000 downloads of the tarball and only 100 of the corresponding sig it should be pretty clear that 90% of those who download not even pretend to check the signature. > git commit -S <keyID> > > You can just create an alias for that, I for example use git ci. I know that but I would like to have a different key for tag and commit. Requiring an option is just too cumbersome. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users