Thanks, Junio, for the tutorial! I had tried to lookup the key, but failed to
put the ‘0x’ at the head.
I was actually verifying the signature on a tarball release. Just curious, how
do I know the key in the database really belongs to you? It’s has your name
and email, but what’s to keep an imposter from creating a key with your name on
it and posting it to the database? I guess all the signatories on your key are
others vouching for your key?
Thanks again for the reply. Oh, and thanks for git!
Cheers,
Jamie
> On Dec 8, 2015, at 5:49 PM, Junio C Hamano wrote:
>
> Jamie Evans writes:
>
>> Can you please point me to the public GPG keys used for source code signing?
>
> I suspect that you are asking about our project, but instead of
> throwing you a fish, I'll show you how to catch one yourself.
>
> In a copy of linux kernel repository I have lying around from a
> random past, I did this:
>
>$ git log --show-signature
>
> and saw something like this:
>
>commit c6fa8e6de3dc420cba092bf155b2ed25bcd537f7
>merged tag 'arm64-fixes'
>gpg: Signature made Wed 07 Oct 2015 03:10:34 AM PDT using RSA key ID
> 84C16334
>gpg: Can't check signature: public key not found
>Merge: e82fa92 62c6c61
>Author: Linus Torvalds
>Date: Wed Oct 7 18:17:46 2015 +0100
>
>Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/li...
>
> I do not have the public key with key ID 84C16334, but I can ask
> public keyservers. Put 0x84C16334 in "Search String" in pgp.mit.edu
> and click "Do the search!"--it would result in the key that was used
> to sign the merge request that resulted in this merge.
>
> I also can do this:
>
>$ git tag -v v3.0
>
> and I would see something like:
>
>object 02f8c6aee8df3cdc935e9bdd4f2d020306035dbe
>type commit
>tag v3.0
>tagger Linus Torvalds 1311301049 -0700
>
>Linux 3.0
>
>w00t!
>gpg: Signature made Thu 21 Jul 2011 07:17:44 PM PDT using DSA key ID
> 76E21CBB
>gpg: Good signature from "Linus Torvalds (tag signing key)
> "
>...
>
> to find that Linus's tag signing key has ID 0x76E21CBB (I do have
> his key in my keyring, so this does not say "Can't check").
>
> Perhaps you can do the same to whatever project you are interested
> in. For example, here is a starting point to do the same for our
> recent v2.6.4 tag:
>
>$ git tag -v v2.6.4
>gpg: Signature made Tue 08 Dec 2015 02:12:50 PM PST using RSA key ID
> 96AFE6CB
>gpg: Can't check signature: public key not found
>error: could not verify the tag 'v2.6.4'
>
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
