On Tue, Aug 11, 2015 at 10:53 AM, Matthias Maier <tam...@gentoo.org> wrote: > >> constantly adds any security to the tree. What might add security for >> end-users is if git automatically checked the push signatures, which >> are the signatures that ensure that branches aren't tampered with >> (which is what rebasing you bring up actually does). > > It is news to me that a signature from a push is also transported to a > subsequent pull request for a client, do you have some external > references for this procedure? >
They're stored in the tree under the ref refs/push-certs. I have no idea how to go about verifying them - they're pretty new so there aren't a lot of docs. I had no idea they were even there until Robin answered a similar question I asked him. git ls-remote for those curious about what other refs are lying around. -- Rich
