Hello! So we sign Git commits, and now we want to authenticate Git checkouts. There’s a series of bad news. First, ‘git pull’ doesn’t do it for you, you have to pass ‘--verify’ and there’s no way to set it globally. Second, even if it did, it would be a shallow check: as Mike notes in with the ‘signchk’ script, you actually have to traverse the whole commit history and authenticate them one by one. But that’s OK, it runs in presumably less than a minute on a repo the size of Guix’s, and we could also stop at signed tags to avoid redundant checks. Third, as I wrote before¹, relying on the OpenPGP web of trust to determine whether a commit is “valid” is inappropriate: what we want to know is whether a commit was made by an authorized person, not whether it was made by someone who happens to have an OpenPGP key directly or indirectly certified. IOW, we want to know whether the key used to sign the commit is among the authorized developer keys. Fourth, there’s inversion of control: ‘git log’ & co. call out to ‘gpg’, so if we want to do something different than just ‘gpg --verify’, we have to put some other ‘gpg’ script in $PATH. Blech. Fifth, even if we did that, we’d be stuck parsing the possibly l10n’d output of ‘gpg’. Pretty fragile. Sixth, OK, we’ll use libgit2, and write Guile bindings, maybe based on the CHICKEN bindings², easy! Well no, it turns out that libgit2³ has no support for signed commits (the ‘signature’ abstraction there has nothing to do with OpenPGP signatures.) Seventh, even if it did, what would we do with the raw ASCII-armored OpenPGP signature? GPG and GPGME are waaaay too high-level, so we’d need to implement OpenPGP (in Guile, maybe based on the OpenPGP library in Bigloo?)?! I hope I’m just being negative and I missed an obvious solution or made wrong hypotheses. Please tell me! :-) I stumbled upon git-lockup⁴, which uses something other than OpenPGP to sign objects in Git. However, signatures are not stored in commits but rather in “git notes”, which, IIUC, are mutable objects detached from the rest of the object store, so not great. Cheers, Ludo’. ¹ http://debbugs.gnu.org/cgi/bugreport.cgi?bug=22883#40 ² http://wiki.call-cc.org/eggref/4/git ³ https://libgit2.github.com/libgit2/ ⁴ https://github.com/warner/git-lockup