On Wed, Mar 7, 2012 at 22:03, Richard Hipp <d...@sqlite.org> wrote: > On Wed, Mar 7, 2012 at 7:10 PM, Leo Razoumov <slonik...@gmail.com> wrote: >> On Wed, Mar 7, 2012 at 18:03, Brian Smith <br...@linuxfood.net> wrote: >> > On Wed, Mar 7, 2012 at 2:40 PM, Leo Razoumov <slonik...@gmail.com> >> > wrote: >> >> >> >> Looking through the fossil source code I found places where manifests >> >> are clearsign-ed. But where are signatures verified? >> > >> > They're not. It's designed for when you're auditing check-ins (after, >> > say, a >> > security breach..) >> >> That's precisely my question. How do I audit? > > I never got around to implementing that part. An audit has never come up. > Do you have a suggested interface? > Where do we collect the public keys for the authorized signers? >
You do not need to collect public keys of authorized signers inside a fossil repo. They are stored by gpg in the GPG ring of trust. I do not think that fossil should interfere with the GPG key distribution process. Let each project team handle their key distribution themselves via key-signing parties, trusted key servers, etc. Command interface for signature verification in fossil could be as follows: $ fossil verify ?-R repository? sends to the stdout output a list of entries, one line per each clearsign-ed artifact in the following format SHA1_hash status where "status" field is one of the three possibilities: (1) signed by <key>. Check Pass (2) signed by <key>. Check Fail (3) signed by <key>. Check Miss In case (3) signature verification process was unable to complete because, for instance, public key was missing, etc. A user can then grep for "check fail" and "check miss" to dwell further on suspected artifacts using their SHA1 hashes. The command exits with a status code of 0 if no "check fail" or "check miss" signatures were found, 1 if only "check miss" but no "check fail", and 2 if "check fail" has been seen. --Leo-- _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users