From 427b33c3add14bd5b83a02608d7dd927cfe8ce90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 7 Mar 2011 10:07:10 +0000
Subject: [PATCH] VerifyingSignatures changed

git tag verify
---
 VerifyingSignatures.md | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/VerifyingSignatures.md b/VerifyingSignatures.md
index c790fec5..2377fa42 100644
--- a/VerifyingSignatures.md
+++ b/VerifyingSignatures.md
@@ -70,3 +70,33 @@ You can also download all the currently used developer's keys (and also a copy o
 [​http://qubes-os.org/keys/](http://qubes-os.org/keys/)
 
 The developer keys are set to be valid for 1 year only, while the Qubes Master Singing Key has no expiration date. This key has been generated and is kept only within a special 'vault' machine that has no networking, and the private portion (hopefully) is never to leave this isolated machine.
+
+Verifying Qubes code
+--------------------
+
+To verify signed git tag, you can use:
+
+``` {.wiki}
+$ git tag -v <tag name>
+```
+
+You can also set git alias to automatically pull latest tag and verify its signature:
+
+``` {.wiki}
+$ git config --global alias.vpull '!f() { tag=`git ls-remote $@ |tail -2 |head -1 |cut -d/ -f 3-`; git pull $@ tag $tag; git tag -v $tag; }; f'
+```
+
+then use:
+
+``` {.wiki}
+$ git vpull git://git.qubes-os.org/mainstream/core.git
+Already up-to-date.
+object 80826329a71c693fcd08544458b9d6219ca5b28c
+type commit
+tag v1.3.16-dom0
+tagger Joanna Rutkowska <joanna@invisiblethingslab.com> 1290384222 +0100
+
+v1.3.16-dom0
+gpg: Signature made Mon 22 Nov 2010 01:03:50 CET using RSA key ID C37BB66B
+gpg: Good signature from "Joanna Rutkowska (Qubes OS signing key) <joanna@invisiblethingslab.com>"
+```