~bzr-pqm/bzr/bzr.dev

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
GnuPG Signatures
=============================

Reasons to Sign Your Repository
--------------------------------

Bazaar can sign revisions using GnuPG, a Free Software implementation of the
OpenPGP digital signature format.  By signing commits a person wanting to
make use of a branch can be confident where the code came from, assuming the
GnuPG keys used can be verified.  This could for example prevent worry about
compromised code in the case where a server hosting Bazaar branches has been
hacked into.  It could also be used to verify that all code is written by a
select group of people, such as if contributor agreements are needed.

Signatures are passed around with commits during branch, push, merge and other
operations.

Setting up GnuPG
----------------

There are many guides to creating a digital signature key with GnuPG.  See
for example the `GnuPG Handbook
<http://www.gnupg.org/gph/en/manual.html#AEN26>`_ or the `Launchpad Wiki
<https://help.launchpad.net/YourAccount/ImportingYourPGPKey>`_.


Signing Commits
---------------

To sign commits as they are made turn on the ``create_signatures``
configuration option in your ``bazaar.conf`` or ``locations.conf`` file::

  create_signatures = always

When you next make a commit it will ask for the pass phrase for your GnuPG key. 
If you want GnuPG to remember your password ensure you have ``gnupg-agent``
installed.

To sign previous commits to a branch use ``sign-my-commits``.  This will go
through all revisions in the branch and sign any which match your
commit name.  You can also pass the name of a contributor to ``sign-my-commits``
to sign someone else's commits or if your GnuPG key does not match your Bazaar
name and e-mail::

  bzr sign-my-commits . "Amy Pond <amy@example.com>"

It will not sign commits which already have a signature.

To sign a single commit or a range of commits use the (hidden) command
``re-sign``::

  bzr re-sign -r 24

``re-sign`` is also useful to change an existing signature.

By default Bazaar will tell GnuPG to use a key with the same user
identity as the one set with ``whoami``.  To override this set
``gpg_signing_key`` in bazaar.conf or locations.conf.

  ``gpg_signing_key=DD4D5088``

  ``gpg_signing_key=amy@example.com``

Verifying Commits
-----------------

Signatures can be verified with the ``bzr verify-signatures`` command.  By
default this will check all commits in the branch and notify that all commits
are signed by known trusted signatures.  If not all commits have trusted
signatures it will give a summary of the number of commits which are invalid,
having missing keys or are not signed.

The ``verify-signatures`` command can be given a comma separated list of key
patters to specify a list of acceptable keys.  It can also take a range of
commits to verify in the current branch.  Finally using the verbose option will
list each key that is valid or authors for commits which failed::

  $bzr verify-signatures -kamy -v -r 1..5
  1 commit with valid signature
    Amy Pond <amy@example.com> signed 4 commits
  0 commits with unknown keys
  1 commit not valid
    1 commit by author The Doctor <doctor@example.com>
  0 commits not signed

Work in Progress
----------------

There is still a number of digital signature related features which
are hoped to be added to Bazaar soon.  These include bzr explorer
integration and setting branches to require signatures.