|author||Joey Hess||2018-05-18 11:26:10 -0400|
|committer||Joey Hess||2018-05-18 11:26:10 -0400|
use git verify-commit
Use git verify-commit to verify gpg signatures, rather than the old method of parsing git log output. These two methods should always have the same result. Note that git verify-commit allows signatures with unknown validity, the same as git log's "U" output which was accepted. So any key in the gpg keyring is allowed to sign the commit. Propellor provides gpg with a keyring containing only the allowed keys. Needs git 2.0, which is in even debian oldstable. This commit was sponsored by Ewen McNeill on Patreon.
Diffstat (limited to 'debian/changelog')
1 files changed, 2 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index bf4df720..c4707e71 100644
@@ -2,6 +2,8 @@ propellor (5.4.1) UNRELEASED; urgency=medium
* Modernized and simplified the MetaTypes implementation now that
compatability with ghc 7 is no longer needed.
+ * Use git verify-commit to verify gpg signatures, rather than the old
+ method of parsing git log output. Needs git 2.0.
-- Joey Hess <email@example.com> Fri, 18 May 2018 10:25:05 -0400