<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>GnuPG Signatures — Bazaar 2.6.0 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '2.6.0', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="shortcut icon" href="../_static/bzr.ico"/> <link rel="top" title="Bazaar 2.6.0 documentation" href="../index.html" /> <link rel="up" title="Bazaar User Guide" href="index.html" /> <link rel="next" title="BzrTools" href="bzrtools_plugin.html" /> <link rel="prev" title="Exporting version information" href="version_info.html" /> </head> <body> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="bzrtools_plugin.html" title="BzrTools" accesskey="N">next</a></li> <li class="right" > <a href="version_info.html" title="Exporting version information" accesskey="P">previous</a> |</li> <li><a href="http://bazaar.canonical.com/"> <img src="../_static/bzr icon 16.png" /> Home</a> | </li> <a href="http://doc.bazaar.canonical.com/en/">Documentation</a> | </li> <li><a href="../index.html">Table of Contents (2.6.0)</a> »</li> <li><a href="index.html" accesskey="U">Bazaar User Guide</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="gnupg-signatures"> <h1>GnuPG Signatures<a class="headerlink" href="#gnupg-signatures" title="Permalink to this headline">¶</a></h1> <div class="section" id="reasons-to-sign-your-repository"> <h2>Reasons to Sign Your Repository<a class="headerlink" href="#reasons-to-sign-your-repository" title="Permalink to this headline">¶</a></h2> <p>Bazaar can sign revisions using GnuPG, a Free Software implementation of the OpenPGP digital signature format. By signing commits a person wanting to make use of a branch can be confident where the code came from, assuming the GnuPG keys used can be verified. This could for example prevent worry about compromised code in the case where a server hosting Bazaar branches has been hacked into. It could also be used to verify that all code is written by a select group of people, such as if contributor agreements are needed.</p> <p>Signatures are passed around with commits during branch, push, merge and other operations.</p> </div> <div class="section" id="setting-up-gnupg"> <h2>Setting up GnuPG<a class="headerlink" href="#setting-up-gnupg" title="Permalink to this headline">¶</a></h2> <p>There are many guides to creating a digital signature key with GnuPG. See for example the <a class="reference external" href="http://www.gnupg.org/gph/en/manual.html#AEN26">GnuPG Handbook</a> or the <a class="reference external" href="https://help.launchpad.net/YourAccount/ImportingYourPGPKey">Launchpad Wiki</a>.</p> </div> <div class="section" id="signing-commits"> <h2>Signing Commits<a class="headerlink" href="#signing-commits" title="Permalink to this headline">¶</a></h2> <p>To sign commits as they are made turn on the <tt class="docutils literal"><span class="pre">create_signatures</span></tt> configuration option in your <tt class="docutils literal"><span class="pre">bazaar.conf</span></tt> or <tt class="docutils literal"><span class="pre">locations.conf</span></tt> file:</p> <div class="highlight-python"><div class="highlight"><pre><span class="n">create_signatures</span> <span class="o">=</span> <span class="n">always</span> </pre></div> </div> <p>When you next make a commit it will ask for the pass phrase for your GnuPG key. If you want GnuPG to remember your password ensure you have <tt class="docutils literal"><span class="pre">gnupg-agent</span></tt> installed.</p> <p>To sign previous commits to a branch use <tt class="docutils literal"><span class="pre">sign-my-commits</span></tt>. This will go through all revisions in the branch and sign any which match your commit name. You can also pass the name of a contributor to <tt class="docutils literal"><span class="pre">sign-my-commits</span></tt> to sign someone else’s commits or if your GnuPG key does not match your Bazaar name and e-mail:</p> <div class="highlight-python"><pre>bzr sign-my-commits . "Amy Pond <amy@example.com>"</pre> </div> <p>It will not sign commits which already have a signature.</p> <p>To sign a single commit or a range of commits use the (hidden) command <tt class="docutils literal"><span class="pre">re-sign</span></tt>:</p> <div class="highlight-python"><pre>bzr re-sign -r 24</pre> </div> <p><tt class="docutils literal"><span class="pre">re-sign</span></tt> is also useful to change an existing signature.</p> <p>By default Bazaar will tell GnuPG to use a key with the same user identity as the one set with <tt class="docutils literal"><span class="pre">whoami</span></tt>. To override this set <tt class="docutils literal"><span class="pre">gpg_signing_key</span></tt> in bazaar.conf or locations.conf.</p> <blockquote> <div><p><tt class="docutils literal"><span class="pre">gpg_signing_key=DD4D5088</span></tt></p> <p><tt class="docutils literal"><span class="pre">gpg_signing_key=amy@example.com</span></tt></p> </div></blockquote> </div> <div class="section" id="verifying-commits"> <h2>Verifying Commits<a class="headerlink" href="#verifying-commits" title="Permalink to this headline">¶</a></h2> <p>Signatures can be verified with the <tt class="docutils literal"><span class="pre">bzr</span> <span class="pre">verify-signatures</span></tt> command. By default this will check all commits in the branch and notify that all commits are signed by known trusted signatures. If not all commits have trusted signatures it will give a summary of the number of commits which are invalid, having missing keys or are not signed.</p> <p>The <tt class="docutils literal"><span class="pre">verify-signatures</span></tt> command can be given a comma separated list of key patters to specify a list of acceptable keys. It can also take a range of commits to verify in the current branch. Finally using the verbose option will list each key that is valid or authors for commits which failed:</p> <div class="highlight-python"><pre>$bzr verify-signatures -kamy -v -r 1..5 1 commit with valid signature Amy Pond <amy@example.com> signed 4 commits 0 commits with unknown keys 1 commit not valid 1 commit by author The Doctor <doctor@example.com> 0 commits not signed</pre> </div> </div> <div class="section" id="work-in-progress"> <h2>Work in Progress<a class="headerlink" href="#work-in-progress" title="Permalink to this headline">¶</a></h2> <p>There is still a number of digital signature related features which are hoped to be added to Bazaar soon. These include bzr explorer integration and setting branches to require signatures.</p> </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">GnuPG Signatures</a><ul> <li><a class="reference internal" href="#reasons-to-sign-your-repository">Reasons to Sign Your Repository</a></li> <li><a class="reference internal" href="#setting-up-gnupg">Setting up GnuPG</a></li> <li><a class="reference internal" href="#signing-commits">Signing Commits</a></li> <li><a class="reference internal" href="#verifying-commits">Verifying Commits</a></li> <li><a class="reference internal" href="#work-in-progress">Work in Progress</a></li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="version_info.html" title="previous chapter">Exporting version information</a></p> <h4>Next topic</h4> <p class="topless"><a href="bzrtools_plugin.html" title="next chapter">BzrTools</a></p> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/user-guide/gpg_signatures.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="bzrtools_plugin.html" title="BzrTools" >next</a></li> <li class="right" > <a href="version_info.html" title="Exporting version information" >previous</a> |</li> <li><a href="http://bazaar.canonical.com/"> <img src="../_static/bzr icon 16.png" /> Home</a> | </li> <a href="http://doc.bazaar.canonical.com/en/">Documentation</a> | </li> <li><a href="../index.html">Table of Contents (2.6.0)</a> »</li> <li><a href="index.html" >Bazaar User Guide</a> »</li> </ul> </div> <div class="footer"> © Copyright 2009-2011 Canonical Ltd. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3. </div> </body> </html>