git to store everything? Great, so do I! And of course you sign your commits - so when you upload your configuration files and scripts somewhere, they will never be tampered with, right? Unfortunately,
git pull --verify-signatures is not enough.
Have a look at what
Verify that the tip commit of the side branch being merged is signed with a valid key, i.e. a key that has a valid uid: in the default trust model, this means the signing key has been signed by a trusted key. If the tip commit of the side branch is not signed with a valid key, the merge is aborted.
This will verify that someone has signed the last commit (depending on your
trust-model it also checks that the key actually belongs the person it claims to represent).
However, if you also use gpg outside of git, you don't want to change your trust model or adjust the trust values for keys just to make the git use case work.
A simple workaround is to use a custom keyring that contains only the keys you trust to sign git commits:
# Create new keyring with only a subset of keys gpg --export SOME-KEY SOME-OTHER-KEY | gpg --no-default-keyring --keyring=git.gpg --import - # Create a wrapper script which git can use instead of gpg (assumes ~/.local/bin is in your path) echo '#!/bin/sh exec gpg --no-default-keyring --keyring=git.gpg "$@"'> ~/.local/bin/gitgpg chmod +x ~/.local/bin/gitgpg
To use this everywhere, you can run
git config --global gpg.program gitgpg
However, this will result in git being unable to verify any signature that is not in your special keyring. This is likely not what you want. Instead, I enable this feature only when needed, like this:
git alias verified "-c gpg.program=gitgpg pull --verify-signatures"
That way, I can make sure I only get code that I trust using
git verified instead of
git pull while still getting meaningful output from
git log --show-signatures.
Note that gpg will still check trust as usual, but it will only know the keys you imported into your special keying(s).
Little sidenote: When you set up keyrings like that, you can also use them with
gpgv to do general-purpose signature verification:
gpgv --keyring git.gpg update.tar.gpg || echo 'These are not the updates you are looking for...'