[darcs-users] OpenPGP signing and Darcs
Dan Frumin
dan at covariant.me
Wed Jun 8 15:46:29 UTC 2016
(Apologies if you receive multiple copies, there is something wrong with my
mail client today)
Hi Alexander,
I don't know much about the interaction of darcs & PGP, specifically I
don't know how to sign individual patches. FWIW here are my thoughts
on this.
What you should be able to do is sign and verify specific patch
bundles. For instance, if you do `darcs send --sign`, it should create
a patch bundle signed with your PGP key. (See `darcs help send` for
mor options). Then the bundle can be verified with `gpg --verify
whatever.dpatch`. Actually, `darcs apply` should check the signature
for you, and it will give you an error message if you try to apply a
corrupt bundle. Here is what happened when I tried to sneak in a typo
in my signed bundle:
> $ darcs apply ../*.dpatch
>
> darcs failed: Patch bundle failed hash!
> This probably means that the patch has been corrupted by a mailer.
> The most likely culprit is CRLF newlines.
However, I don't think this signature is recorded anywhere in the
repository. I might be wrong.
Hope this helps,
- Dan
PS: this information should really be available in the FAQ, which
doesn't really say much about signing patches. I will update the page
if someone will nag me at some point :)
On Mon, Jun 6, 2016 at 2:57 PM, Alexander Berntsen <alexander at plaimi.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi.
>
> With git I rely heavily on OpenPGP-signing every commit with GPG, so
> that users can confidently checkout any snapshot of the repository.
>
> As far as I understand with Darcs, patches can be signed using GPG.
> However, I cannot find out how to actually find them. How do I, using
> darcs log or similar, actually see the signatures?
>
> As an aside, as a git user and complete Darcs newbie, my understanding
> of the ramifications of patches as first-class citizens is admittedly
> lacking, so I am not entirely certain how OpenPGP signatures should
> work with Darcs. I just want to make sure I can distribute my software
> and patches with a certain guarantee for end-users regarding things
> like MitM. If anyone has any documentation or guides I should look at
> for this, that would be appreciated.
> - --
> Alexander
> alexander at plaimi.net
> https://secure.plaimi.net/~alexander
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCgAGBQJXVXNAAAoJENQqWdRUGk8B8bUQAIFOJkbdy/6rur6ZlJ4kg5Ls
> pV81mvUFz/IGlO+oxTDD5B9nSpfN7bsC/XxrX4bKpzsfFmQKRoL1dJuH6YowxpZH
> qbQ5D4RXJHb2YhqtlraBvtBKEfMT3m191UzABRQtB/ZNUN/jG6KrBRcoXtga1SNB
> 4qDkzHgxyPrXsTOekg+9onSPH0ULjLY2LfCkbChSZNFj7i2ZMfUV+jVLmFtICKH2
> dSS3W/h51VY+QuaYM0OgAx1An6SAcJ48kU9byQTy3b3WYAF75qPuwr9kSsHkOIwg
> VKGN4bH5HedAko0z+hvKKYsBJXXAr7YEknA45ujn8rRLnx8YIXGZIXravpCi4ff0
> ZHIWi3TGwEsGrsNIvmVF77LbUN7l0eXg/+CsaS5SuNUHLpBaNaRNBNIUNsyWLl62
> CJ41H0sB+A5kBTmEcmEKU3g5WdIqp/r1o7Rl6ZfmkSmkBi5I6dMeHZfTEB2EdU+H
> hc2PC9AQI/GQwqzz2FAKu1uIiHNWxN3X/JuBwn80hX5sJAx7lmY886vUVPaRNylL
> 1aK1Vhb1b5/L2TaHEhxmUI52ltmTDiBPFGNhBOmVQDCaI8pzttnHB16CwGnt9ySf
> 2ym3i12EHBKpJTZmgoKVgS8zQYZ+RdXHiCLBLRsxxV9cSrUeUXLAV63B7+QTE61l
> eiZadEKiFfNzMiynv+zY
> =jjxR
> -----END PGP SIGNATURE-----
> _______________________________________________
> darcs-users mailing list
> darcs-users at darcs.net
> http://lists.osuosl.org/mailman/listinfo/darcs-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osuosl.org/pipermail/darcs-users/attachments/20160608/c299b977/attachment.html>
More information about the darcs-users
mailing list