9

Usual work flow is, git tag verify.

git tag -v tagname

Then git tag checkout.

git checkout tagname

Is there a combined command to verify the tag, shows the verification, and checks it out if verification succeeded?

Zoe
  • 27,060
  • 21
  • 118
  • 148
adrelanos
  • 1,453
  • 2
  • 16
  • 27
  • Tried setting up an alias in your `.gitconfig` to chain the commands in your workflow? – miqh Sep 22 '14 at 03:11
  • It would be important to see if the tag verification actually worked. – adrelanos Sep 22 '14 at 03:20
  • Seems like you might be able to lean on the return code of `git verify-tag` (cf. http://stackoverflow.com/questions/8010472/git-verify-trusted-tags) for this. – miqh Sep 22 '14 at 03:31
  • Is it possible to tie it to a key fingerprint? Otherwise any trusted key in the keyring would be able to create a legit signature? – adrelanos Sep 22 '14 at 04:17
  • You could use the `post-checkout` hook to check if the refspec is a tag and verify it there, and fail verbosely if it is invalid. – Phillip Apr 10 '15 at 11:35

1 Answers1

5

In a bash shell:

git tag -v tagname && git checkout tagname

That would only work if the first command succeeds.

That can be part, for instance, of a post-receive hook.
Or it can be made an independent command:

Even on windows, a script name git-ctag (put anywhere in the %PATH%) would enable you to type git ctag <atag>, which would checkout the tag only if the verification step passes.

#!/bin/bash
git tag -v $1 && git checkout $1
Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • How to check, that the signature was made by an accepted/valid OpenPGP fingerprint? – adrelanos Apr 13 '15 at 23:41
  • @adrelanos you can use `git verify-tag` (http://git-scm.com/docs/git-verify-tag), as in http://stackoverflow.com/q/8010472/6309 – VonC Apr 14 '15 at 06:07
  • One problem, it's only using short OpenPGP fingerprints, which are not safe and doesn't allow passing extra options to gnupg. – adrelanos Apr 14 '15 at 09:50
  • @adrelanos nothing in https://github.com/git/git/blob/18d0fec24027ac226dc2c4df2b955eef2a16462a/builtin/verify-tag.c suggests that short OpenPGP fingerprints are used though. Where did you see that? – VonC Apr 14 '15 at 11:09
  • @adrelanos actually, the code that could use short or long fingerprint would be https://github.com/git/git/blob/63a45136a329bab550425c3142db6071434d935e/gpg-interface.c. – VonC Apr 14 '15 at 11:13