From 22583c4992852fff08559c35fde7bf6f673d1644 Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld Date: Thu, 5 Jul 2018 02:38:33 +0200 Subject: cgitrc.5: add local tar signature example Signed-off-by: Jason A. Donenfeld --- cgitrc.5.txt | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/cgitrc.5.txt b/cgitrc.5.txt index 6b4efa2..34b351b 100644 --- a/cgitrc.5.txt +++ b/cgitrc.5.txt @@ -775,14 +775,25 @@ through use of git notes. For example, the following command may be used to add a signature to a .tar.xz archive: git notes --ref=refs/notes/signatures/tar.xz add -C "$( - gpg --output - --armor --detach-sign cgit-1.1.tar.xz | - git hash-object -w --stdin + gpg --output - --armor --detach-sign cgit-1.1.tar.xz | + git hash-object -w --stdin )" v1.1 If it is instead desirable to attach a signature of the underlying .tar, this will be linked, as a special case, beside a .tar.* link that does not have its -own signature. - +own signature. For example, a signature of a tarball of the latest tag might +be added with a similar command: + + tag="$(git describe --abbrev=0)" + git notes --ref=refs/notes/signatures/tar add -C "$( + git archive --format tar --prefix "cgit-${tag#v}/" "$tag" | + gpg --output - --armor --detach-sign | + git hash-object -w --stdin + )" "$tag" + +Since git-archive(1) is expected to produce stable output between versions, +this allows one to generate a long-term signature of the contents of a given +tag. EXAMPLE CGITRC FILE ------------------- -- cgit v1.2.3-54-g00ecf