In some cases I will be using a system that does not have gpg installed and I do not want to take the time the set it up and get the pub key installed. I would like to just view the signature on the commit and copy it to another system to validate it. I can not seem to find a way to view the signature with out gpg being installed. Git only gives an error the gpg is not installed when ever I try to use any of the git commands to view it.
Is there a way to view git pgp signed commits with the pgp signature in tacked without having gpg installed on the system?
I have been looking everywhere for an answer to this and have not found anything of use. Thanks for any help or pointers you can provide.
Advertisement
Answer
Reading and verifying signatures
Is there a way to view git pgp signed commits with the pgp signature in tacked without having gpg installed on the system?
I wouldn’t expect so. If you want to see details, you’re required to at least have a parser for reading the OpenPGP packets and a full implementation for fetching information from the keys belonging to the; GnuPG is pretty much the only relevant free software OpenGP implementation (apart from maybe libraries for the Go language and Bouncy Castle for Java/C#). While there is a stripped-down implementation gpgv for only validating signatures, it is not interfaced by git and you’d have to install additional software (a stripped-down GnuPG package), anyway.
Furthermore, OpenPGP signatures do not include the certificate (public key). To actually view the signatures, you’d have to fetch them — also something performed by GnuPG. Finally, to actually verify the signatures on another device, you’d not only need the signatures, but also the signed-off data (thus, the git catalogue).
Installing GnuPG is not a hassle
I’m surprised there is a Linux distribution not having GnuPG installed by default, most package managers use it to verify packages, and it should be available in pretty much all distributions’ software repositories.
Experiments with a “stub GnuPG”
I unsuccessfully tried a hack for exporting/dumping the signatures git wants to verify (a script named gpg in the $PATH dumping input), but it looks like git is doing some further checks or communication.