isomorphic-git

isomorphic-git

  • API Docs
  • Guide
  • Blog
  • GitHub
  • npm

›Repository

All Commands

  • Alphabetical Index
  • Error Code Index

Repository

  • init
  • clone
  • commit
  • log
  • config
  • fetch
  • checkout
  • push
  • pull
  • merge
  • walkBeta1
  • verify

Files

  • add
  • remove
  • listFiles
  • status

Branches

  • currentBranch
  • branch
  • deleteBranch
  • listBranches

Tags

  • tag
  • annotatedTag
  • deleteTag
  • listTags

Remotes

  • getRemoteInfo
  • addRemote
  • deleteRemote
  • listRemotes

Plugins

  • credentialManager
  • emitter
  • fs
  • http
  • pgp

Plumbing Commands

  • findRoot
  • expandRef
  • expandOid
  • resetIndex
  • resolveRef
  • writeRef
  • deleteRef
  • readObject
  • writeObject
  • statusMatrix
  • isDescendent
  • indexPack

Misc Commands

  • version

Deprecated Commands

  • utils.auth
  • utils.oauth2
  • sign
Edit

verify

Verify a signed commit

paramtype [= default]description
fs [deprecated]FSModuleThe filesystem containing the git repo. Overrides the fs provided by the plugin system.
dir, gitdirstring, stringThe working tree directory path, and optionally the git directory path
openpgpOpenPGP interfaceAn instance of the OpenPGP library.
refstringA reference to the commit or tag to verify
publicKeysstringA PGP public key in ASCII armor format.
returnPromise<false/Array<string>>The key ids used to sign the commit, in hex format.
OpenPGP.js is unfortunately licensed under the LGPL-3.0 and thus cannot be included in a minified bundle with isomorphic-git which is an MIT/BSD style library, because that would violate the "dynamically linked" stipulation. To use this feature you include openpgp with a separate script tag and pass it in as an argument.

It is up to you to figure out what the commit's public key should be. I would use the "author" or "committer" name and email, and look up that person's public key from a trusted source such as the GitHub API.

The function returns false if any of the signatures on a signed git commit are invalid. Otherwise, it returns an array of the key ids that were used to sign it.

The publicKeys argument is a single string in ASCII armor format. However, it is plural "keys" because you can technically have multiple public keys in a single ASCII armor string. While I haven't tested it, it should support verifying a single commit signed with multiple keys. Hence why the returned result is an array of key ids.

let keyids = await git.verify({
  dir: '$input((/))',
  openpgp,
  ref: '$input((HEAD))',
  publicKeys: `$textarea((
-----BEGIN PGP PUBLIC KEY BLOCK-----
...
))`
})
console.log(keyids)
← walkBeta1add →
isomorphic-git
Docs
Getting StartedAPI Reference
Community
User ShowcaseProject Chat
GitHub
More
In The NewsBlog
Ad