On Tue, 28 Apr 2020, Santiago Torres-Arias wrote:
We also do something similar to pacman when verifying git tag signatures: https://gitweb.torproject.org/builders/rbm.git/commit/?id=e04f03f9626e993bb6...
Cool!
However for the cases where we don't use a tag (in nightly builds), it sounds like push certificates could be useful to check that the commit we are using was intended for the branch we use. Is it something that we can do with push certificates?
Yes, definitely! I can sketch something out to stir discussion. Would that be desirable? :)
That sounds interesting to me. It looks like an improvement we can add after we start using signed commits.
Maybe that is something that can be added in rbm as a new option to check the branch from push certificates.
Nicolas