your mail

[john at keeping.me.uk (John Keeping)]

[Please keep the mailing list cc'd.]

On Sat, Jul 22, 2017 at 12:32:40PM -0400, Ghost Squad 57 wrote:
> Personally, I just want cgit to show the key used to sign the commit, not
> necessarily validate it. Validation could always be done on the user's side.

I would be very concerned about giving a false sense of security by
doing this.  It sounds like you want something like "good signature by
untrusted key ...", but then doing validation on the user's side
requires cloning the repository, doesn't it?

Or do you mean that the user should trust the server and just say "yes,
that's the key I expect to have signed this"?  That's not behaviour that
we should be encouraging.

> On Jul 22, 2017 8:04 AM, "John Keeping" <john at keeping.me.uk> wrote:
> 
> > On Tue, May 09, 2017 at 03:35:57AM -0400, Ghost Squad 57 wrote:
> > > Lately I've gotten into the habit of signing commits and tags with my GPG
> > > key (https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)
> > >
> > > But it appears cgit doesn't support showing commits that have been
> > signed.
> > >
> > > Is there a way to enable this?
> >
> > No, we don't have any support for this at the moment.  What would you
> > expect to see for a signed commit?  Do you want the server to validate
> > the signature?  In which case, how should the trusted signers be
> > configured?
> >