Marcin W. Dąbrowski wrote: > Would it be ever possible to have an option to use external > tools for signing certs? I.e. GnuPG signatures?
Not right now (and it's not planned, AFAIK), but you can do of course things that pretty much guarantee the same thing: 1. GPG-sign your monotone public key: this way people that trust your GPG key know that they can trust your monotone signatures (if they trust monotone itself, that is) 2. GPG-sign a revision id: people that trust your GPG key might take that as you asserting that that (single) revision is "good" 3. GPG-sign the output of "mtn log --next=1 --no-graph", in order to testify not only the revision content but also the main certs I'm not saying that this is any better than relying on the internal monotone crypto (which suffices in my case), but if you already have deployed a large PKI, yuo might as well use it this way also. When you sign something "manually" always remember: it *has* to be a parseable format even if you'll never need to parse it (basically that means that it has an unique meaning, and no one can interpret your signature in a different way - like for example the first RSA GPG key could be, as private key and public key were not properly "separated" in hashing them). -- Lapo Luchini - http://lapo.it/ “In God we trust. Everybody else we verify using PGP!” (Tim Newsome) _______________________________________________ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel