Reputation: 63
What exactly does "git show --show-signature" verify?
After cloning a remote git repository and issuing git show --show-signature, it says the signature is good. Then I changed some files and tested the same command, and it still says the signature is good.
What exactly does the above command check? What is the correct way to verify the cloned git is what is meant by the developer?
Upvotes: 6
Views: 7888
Answers (2)
Reputation: 12518
git show --show-signature does exactly what it says in its manpage:
--show-signature
Check the validity of a signed commit object by passing the signature to gpg --verify and show the output.
You must have imported a repo author's public key before so that GPG
can know where to look for it. You need to read up on a tutorial to
learn how GPG works to fully understand how it works.
Now for the second part of your question, git show without an
explicit commit SHA-1 or object name in general works on current
HEAD. If you just modified some files in your working copy but
didn't commit the changes then HEAD and all other commits in your
repository will stay the same, therefore git show --show-signature
will show you exactly the same as it would after a fresh cloning of
the repository. If you'd decide to commit your changes you will move
your HEAD one commit up but won't modify previous HEAD so git show --show-signature HEAD^ will still show everything is ok.
Upvotes: 9
Reputation: 60443
Commits don't change. git status will report on the status of your worktree; git show is for showing you repository content.
Upvotes: 1
Related Questions
- Git signature verification
- Verifying signed git commits?
- What is a signed commit?
- What is the internal working of git signing commits and the user.signingkey option?
- What data is being signed in git signed tags?
- What is the point in signing tags in git?
- What does `git show` do all by itself?
- How does commit signing work?
- Git's technique and logic behind "git status"
- git verify trusted tags