Hi all,
I'm attempting to manually verify git commits signed with SSH keys
using python, however verifying commits consistently fails, no matter
what I try.
The python verification logic has been tested against signatures
produced with ssh-keygen and confirmed to be working.
I suspect I'm constructing the message incorrectly to check against
the signature. As far as I know, the message should look like this,
with the gpgsig section removed.
tree ff5ee8caaf2893a79711151b2937130469d83d39
parent 3e84a21590a5ad714d168878abc95218d0e42cac
author Matthew H <git@xxxxxxxxxxxxx> 1743454803 +0100
committer Matthew H <git@xxxxxxxxxxxxx> 1743454803 +0100
Commit message
Could someone point me in the right direction? I'm wondering if its
hashed or encoded prior to signing
Thanks
Matthew
