Hi, Ludo' asked us to send some comments on how to verify git commits. I only had time to quickly browse the mail thread. I would indeed suggest to use gpgv (or gpgv2, but I hope Guix has alread moved to name gpg2 gpg) because we once wrote it for Debian. It has the simplest semantics and thus best fits your purpose. We use it in GnuPG itself for the speedo build system; it is sufficent to run this simple script: --8<---------------cut here---------------start------------->8--- if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then echo "list of software versions is not valid!" >&2 exit 1 fi --8<---------------cut here---------------end--------------->8--- In all other context I would suggest the use of GPGME to verify signatures, because GPGME also evaluates the trust and all the status line gpg spits out. There are no issues with l10n because _all_ scripts SHOULD use gpg with the options --status-fd and --with-colons. That output creates a well defined API and we try very hard never to break it. Mike Gerwitz's article is a bit long read right now. I have never looked into git to check whether git correctly calls gpg to verify signatures. That should eventually be done. And yes, please sign your commits (I use an Ed25519 key stored on a Gnuk token; which works very well). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. /* EFH in Erkrath: https://alt-hochdahl.de/haus */