Improving support for signed revisions
Arne Babenhauserheide
arne_bab at web.de
Sun May 10 13:58:54 CDT 2009
On Wednesday 06 May 2009 22:52:28 Lasse Kliemann wrote:
> > * On verify (and wherever else you want it), check the sig against
> > the text minus the sig.
>
> That sounds right like it, yes.
It wouldn't ensure the data, though.
I could just grab the signed text and use it to do another commit which will
then appear to have been done by the original committer.
To ensure that the commit is really from the committer (and unchanged), you
need to include the committer and a hash of the data into the signature.
More exactly: You need to include all data which you want to verify (or a hash
of it) into the signature.
Best wishes,
Arne
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
- singing a part of the history of free software -
http://infinite-hands.draketo.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://selenic.com/pipermail/mercurial/attachments/20090510/41354847/attachment.pgp
More information about the Mercurial
mailing list