--signed
用于 git push
:"git push" learned "--signed" push, that allows a push (i.e.
request to update the refs on the other side to point at a new
history, together with the transmission of necessary objects) to be
signed, so that it can be verified and audited, using the GPG
signature of the person who pushed, that the tips of branches at a
public repository really point the commits the pusher wanted to,
without having to "trust" the server.
听起来数据在推送过程中发送到服务器时是经过签名的,以便服务器可以验证并记录谁进行了推送。您可以在man
页面中确认此内容:
--signed
GPG-sign the push request to update refs on the receiving side,
to allow it to be checked by the hooks and/or be logged. See
git-receive-pack[1] for the details on the receiving end.
你需要在 git-receive-pack
的 pre-receive
和 post-receive
hooks 页面查看如何验证已签名的推送。
似乎所有这些都有助于服务器验证推送者的身份是否真实。
git push --signed
如何帮助你(推送者)不必“信任”服务器? 到目前为止,我所见的一切都表明它有助于服务器信任你。更重要的是,为什么签名提交和签名标签不足以向不受信任的服务器推送?我们为什么需要签名推送?