On 12/21/17, jungle Boogie <jungleboog...@gmail.com> wrote: > > How are the signatures verified?
Signatures are not verified, at the moment. Probably each repository would have a set of trusted public keys. Then as each check-in is received via push (or during a rebuild) those with signatures have the signatures verified using the set of trusted keys. Those for which the keys are unknown get marked as signed but unverified. The signatures are currently generated by running gpg in a separate process. I suppose the verification step could do something similar. Hey - I suppose there is a fourth state: (4) Forgery: The signature does not match. -- D. Richard Hipp d...@sqlite.org _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users