[ANN] autosign extension
Dan Villiom Podlaski Christiansen
danchr at gmail.com
Fri May 15 02:29:45 CDT 2009
Hi,
The prospects of having the ability to sign keys with my (X.509)
digital signature is very intruiging to me. Just to be brief, and in
the hope of helping a bit, I'd like to describe how I'd expect such
support to work.
Basically, I see several possible outcomes of checking the signature
for a changeset:
1. the signature is valid and trusted.
2. the signature is valid but not trusted.
3. the signature is valid, but doesn't correspond to an author or
committer/signer specified in the changeset.
4. the signature is valid and trusted except the certificate has
either expired now or on the date specified in the changeset, or has
been revoked, possibly since then.
5. the signature is corrupt; the changeset does not validate according
to the signature.
The most important scenarios to me is what happens in the final case:
I would expect Mercurial to abort with a hard error, as soon as
possible when seeing such a changeset. I would also expect that the
only way to solve it would be getting rid of that changeset.
I would also expect Mercurial to disallow signing with an address not
specified in the certificate, and issue clear warnings whenever an
untrusted signature is seen. To me, signature support should
prioritise security and safety over usability and convenience; after
all signatures are useless if you cannot rely on them.
I don't know how valid signatures should be shown, but perhaps marking
unsigned or improperly signed changesets instead would be better?
For what it's worth, I'd prefer it if you didn't have to run a
separate command to check signatures, but if checking occurred
transparently behind the scenes whenever accessing a changeset.
It would be awesome to have good support for signed changesets in Mercurial :-)
--
Dan Villiom Podlaski Christiansen, stud.scient.
danchr at gmail.com
More information about the Mercurial
mailing list