Re: tag2upload (git-debpush) service architecture - draft
>>>>> "Ian" == Ian Jackson <ijackson@chiark.greenend.org.uk> writes:
Ian> Sam Hartman writes ("Re: tag2upload (git-debpush) service
Ian> architecture - draft"):
>> Sean Whitton <spwhitton@spwhitton.name> writes: > Okay, thanks.
>>
>> > I think that the Git-Tag-Info field solves this. With that >
>> field available, anyone can do the following to perform an >
>> equivalent verification:
>>
>> > 1. fetch the .dsc from the archive
>>
>> > 2. fetch, from dgit-repos, the tag given in the Git-Tag-Info >
>> field of the .dsc
>>
>> This violates the "no external data" requirement above.
Ian> This requirement can be met (as I mentioned before) by
Ian> including the tag object data as a file in the upload (listed
Ian> in .changes). The signature can be verified without any
Ian> further data. A git bundle is not needed.
What do you mean by tag object data?
Can you outline how to get from the dsc to a verification of the tag
signature without contacting the dgit server?
Reply to: