test-sig

tree 10c18534357cbe9ec3ffc3814af5e141189cc102
parent 2ea8e2411c25000185acdebc62eaa8b657ef093e
author stackdump <myork@stackdump.com> 1559241822 -0500
committer stackdump <myork@stackdump.com> 1559241822 -0500
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7Jdzt+QOUM4vSxEFHicSreJ7DwYFAlzwJGYACgkQHicSreJ7
 DwYC0Q/+JV3OHp9/ALUIeZELO/+WRIAtxanupIPDw97KAspclpnHxbfWPEpZK6JL
 k2oyAfwbz5nyz1L+vbUnRBnmzTehjaUq+Sh9S3dYjXsBN0GMeiEb7H/Igs9FKTpQ
 SmdX9F0yQRocypFrbGN52Ig9bpH6YDfUxxQs9uC/sHlita59emMgenp6Y6o9ujn6
 qceNgoaZ6YSR1P7TytuJV9cOLXglYx7M42BgaC6APhcRyj+VcyBmT0EB333VYi5O
 bPhtl5J9iWtVBx+X2Ahx59k44Lt5UsCPDwQ+WKR/OPGpSD9iyXLDHOLCoSqtrLth
 ZtWa7oKyLwmnHA7V3AAgVIO1Ir+AOJQs0VnUkf7zu2Beuz7L1D5/sHQuNWYDrBTF
 3O6Zz00gQJ8E42ceZFDVqwyWzeE/wexM5AFYHPzeh57l2ygPYsIPAUeHxHCpCM8B
 dOAuQZ3YW/dHT+9Kyj+rhwzpwNeFW3rHR2f47B6u2EoTafaf8iPJAsqnN9yymEVX
 1wG8Hi/ypyBAL+971elvgEh/9T2Y3hcQ37ScnEOYQvIOfJZmKQcKoHFT0db9BvPt
 PNl8C0j1c84uFVAsv8C1a1BXz9ITjZcqPFhk6vIckU7e4nagHR4Yyk6GJspRg9g9
 FkLqqsXTsDoP1F3EP8LDNwdbNDUomNJzxTTLC4kw1+PwYNEi/AY=
 =P46z
 -----END PGP SIGNATURE-----

signed

verify.sh

#git cat-file commit HEAD > signed-commit
cat test-sig > signed-commit
grep -B 9999 'BEGIN PGP SIGNATURE-----' signed-commit | head -n -1 > signed-commit.stripped
grep -A 9999 'END PGP SIGNATURE-----' signed-commit | tail -n +2 >> signed-commit.stripped
sed 's/^gpgsig //' signed-commit | sed 's/^ //' > signed-commit.sig
gpg --verify signed-commit.sig signed-commit.stripped 

Basically this just strips out the signature + the ascii armor
the rest of the data is what has been signed

NOTICE: the sha1 hash of the commit is present (because we can't know it's checksum before we sign )