On Wed, Mar 7, 2012 at 18:03, Brian Smith <br...@linuxfood.net> wrote: > On Wed, Mar 7, 2012 at 2:40 PM, Leo Razoumov <slonik...@gmail.com> wrote: >> >> Looking through the fossil source code I found places where manifests >> are clearsign-ed. But where are signatures verified? > > They're not. It's designed for when you're auditing check-ins (after, say, a > security breach..) >
That's precisely my question. How do I audit? What command should I use to verify signed artifacts? Preferably, I would like to see something like "fossil verify" that outputs a list of all clearsign-ed artifacts in the repo annotated with "checked OK", "check Failed" or "cannot check" (e.g. when key is missing). Recent github compromise gives us some food for thought about fossil's mechanism to ensure data integrity. --Leo-- _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
