Improving support for signed revisions

[Peter Arrenbrecht]

On Wed, May 6, 2009 at 4:38 PM, Lasse Kliemann
<lasse-list-mercurial-2009 at mail.plastictree.net> wrote:
> Greetings,
>
> is the GPG extension used by many? In which way are people using
> it? Being a long-time subversion user, I got used to trust the
> commit log to display the "correct" user names, i.e., when it
> says that revision X was committed by user A, then I can be sure
> that it was in fact committed by the person that I associate with
> name A (as long as the admin for the central repository shares my
> association). I already elaborated on this in another post, which
> unfortunately got no replies yet:
>
> https://lists.berlios.de/pipermail/better-scm-discuss/2009-May/000051.html
>
> Now, to achieve the same thing in destributed systems,
> cryptographic signatures must be used. Mercurial has an extension
> for this, but it looks to me being in a rather early stage of
> development. That's why I ask who's using it and in which way.
>
> I find the following unsatisfactory about the current
> implementation of cryptographic signatures for Mercurial:
>
> - A signature seems to generate a revision of its own, stating
>  which other revision is signed by it. This does not exactly
>  make commit logs easier to read. Instead, I'd like to have this
>  information diplayed directly with the signed revision.
>  This could be achieved by an external tool which filters the
>  commit log and maps signatures to their revision. However, I
>  feel that an integrated solution would be better.
>
> - The commit log does not show which signatures are valid. There
>  is even no way to validate all existing signatures, only the
>  'sigcheck' command that validates a single signature. One
>  could write an external tool to check all signatures. However,
>  I feel that an integrated solution would be better.
>
> - For my goals of being able to trust each and every user name in
>  the logs, each and every revision has to be signed. There seems
>  to be no way currently to automatically sign all revisions.
>
> Any suggestions? Any plans to improve the GPG support in
> Mercurial in the near future? I'd be happy to participate in a
> design discussion.

This sounds like you'd want a different extension, which operates
automatically on every commit. I can picture it as follows:

 * On every commit to the changelog, sign the text, then append the
sig as a new extra value to the text, then commit this new text. So
you're not signing the final hash as the other extension does, but the
actual changelog text (which includes the user name and the _manifest_
hash).
 * On verify (and wherever else you want it), check the sig against
the text minus the sig.

You might need new hooks into the changelog for this.
-parren