验证签署的git提交？ [英] Verifying signed git commits?

问题描述

使用较新版本的 git ，可以使用PGP密钥对单个提交（除了标记之外）进行签名：

With newer versions of git it's possible to sign individual commits (in addition to tags) with a PGP key:

git commit -m "some message" -S

你可以用 - show-signature 选项在 git log 的输出中显示这些签名：

And you can show these signatures in the output of git log with the --show-signature option:

$ git log --show-signature
commit 93bd0a7529ef347f8dbca7efde43f7e99ab89515
gpg: Signature made Fri 28 Jun 2013 02:28:41 PM EDT using RSA key ID AC1964A8
gpg: Good signature from "Lars Kellogg-Stedman <lars@seas.harvard.edu>"
Author: Lars Kellogg-Stedman <lars@seas.harvard.edu>
Date:   Fri Jun 28 14:28:41 2013 -0400

    this is a test

但是有没有一种方法可以编程方式验证给定提交上的签名，而不是通过刷新 git log 的输出？我正在寻找等价于 git tag -v 的提交 - 这将提供一个退出代码，指示给定提交中是否存在有效签名。

But is there a way to programatically verify the signature on a given commit other than by grepping the output of git log? I'm looking for the commit equivalent of git tag -v -- something that will provide an exit code indicating whether or not there was a valid signature on a given commit.

推荐答案

以防万一有人通过搜索引擎来到这个页面，就像我做的一样：新工具已经在两个问题发布之后的几年：现在有用于此任务的git命令： git verify-commit 和 git verify-tag 可以分别用于验证提交和标签。

Just in case someone comes to this page through a search engine, like I did: New tools have been made available in the two years since the question was posted: There are now git commands for this task: git verify-commit and git verify-tag can be used to verify commits and tags, respectively.

这篇关于验证签署的git提交？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！