cgitrc.5: add local tar signature example

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld 2018-07-05 02:38:33 +0200
committer: Jason A. Donenfeld 2018-07-05 02:40:48 +0200
commit: 22583c4992852fff08559c35fde7bf6f673d1644 (patch)
tree: 269818f1b13ea032e246f0cd1cb932770d2ed5d3
parent: 08a2b1b8f812c6d77489467c8ff120979c297bed (diff)
download: cgit-22583c4992852fff08559c35fde7bf6f673d1644.tar.gz
cgit-22583c4992852fff08559c35fde7bf6f673d1644.tar.bz2
cgit-22583c4992852fff08559c35fde7bf6f673d1644.zip
1 files changed, 15 insertions, 4 deletions
diff --git a/cgitrc.5.txt b/cgitrc.5.txt
index 6b4efa2..34b351b 100644
--- a/cgitrc.5.txt
+++ b/cgitrc.5.txt
@@ -775,14 +775,25 @@ through use of git notes. For example, the following command may be used to
 add a signature to a .tar.xz archive:
    git notes --ref=refs/notes/signatures/tar.xz add -C "$(
-            gpg --output - --armor --detach-sign cgit-1.1.tar.xz |
+        gpg --output - --armor --detach-sign cgit-1.1.tar.xz |
-            git hash-object -w --stdin
+        git hash-object -w --stdin
    )" v1.1
 If it is instead desirable to attach a signature of the underlying .tar, this
 will be linked, as a special case, beside a .tar.* link that does not have its
-own signature.
+own signature. For example, a signature of a tarball of the latest tag might
+be added with a similar command:
+    tag="$(git describe --abbrev=0)"
+    git notes --ref=refs/notes/signatures/tar add -C "$(
+        git archive --format tar --prefix "cgit-${tag#v}/" "$tag" |
+        gpg --output - --armor --detach-sign |
+        git hash-object -w --stdin
+    )" "$tag"
+Since git-archive(1) is expected to produce stable output between versions,
+this allows one to generate a long-term signature of the contents of a given
+tag.
 EXAMPLE CGITRC FILE
 -------------------
author	Jason A. Donenfeld	2018-07-05 02:38:33 +0200
committer	Jason A. Donenfeld	2018-07-05 02:40:48 +0200
commit	22583c4992852fff08559c35fde7bf6f673d1644 (patch)
tree	269818f1b13ea032e246f0cd1cb932770d2ed5d3
parent	08a2b1b8f812c6d77489467c8ff120979c297bed (diff)
download	cgit-22583c4992852fff08559c35fde7bf6f673d1644.tar.gz cgit-22583c4992852fff08559c35fde7bf6f673d1644.tar.bz2 cgit-22583c4992852fff08559c35fde7bf6f673d1644.zip

diff --git a/cgitrc.5.txt b/cgitrc.5.txt index 6b4efa2..34b351b 100644 --- a/cgitrc.5.txt +++ b/cgitrc.5.txt
@@ -775,14 +775,25 @@ through use of git notes. For example, the following command may be used to
775	add a signature to a .tar.xz archive:	775	add a signature to a .tar.xz archive:
776		776
777	git notes --ref=refs/notes/signatures/tar.xz add -C "$(	777	git notes --ref=refs/notes/signatures/tar.xz add -C "$(
778	gpg --output - --armor --detach-sign cgit-1.1.tar.xz \|	778	gpg --output - --armor --detach-sign cgit-1.1.tar.xz \|
779	git hash-object -w --stdin	779	git hash-object -w --stdin
780	)" v1.1	780	)" v1.1
781		781
782	If it is instead desirable to attach a signature of the underlying .tar, this	782	If it is instead desirable to attach a signature of the underlying .tar, this
783	will be linked, as a special case, beside a .tar.* link that does not have its	783	will be linked, as a special case, beside a .tar.* link that does not have its
784	own signature.	784	own signature. For example, a signature of a tarball of the latest tag might
785		785	be added with a similar command:
		786
		787	tag="$(git describe --abbrev=0)"
		788	git notes --ref=refs/notes/signatures/tar add -C "$(
		789	git archive --format tar --prefix "cgit-${tag#v}/" "$tag" \|
		790	gpg --output - --armor --detach-sign \|
		791	git hash-object -w --stdin
		792	)" "$tag"
		793
		794	Since git-archive(1) is expected to produce stable output between versions,
		795	this allows one to generate a long-term signature of the contents of a given
		796	tag.
786		797
787	EXAMPLE CGITRC FILE	798	EXAMPLE CGITRC FILE
788	-------------------	799	-------------------