One useful feature of Bazaar is the ability to cryptographically sign revisions. I was discussing this with Ryan on IRC, and thought I'd write up some of the details as they might be useful to others. Anyone who remembers the past security of GNOME and Debian servers should be able to understand the benefits of being able to verify the integrity of a source code repository after such an incident. Rather than requiring all revisions made since the last known safe backup to be examined, much of the verification could be done mechanically. Turning on Revision Signing The first thing you'll need to do is get a PGP key and configure GnuPG to use it. The GnuPG handbook is a good reference on doing this. As the aim is to provide some assurance that the revisions you publish were really made by you, it'd be good to get the key signed by someone. Once that is done, it is necessary to configure Bazaar to sign new revisions. The easiest way to do this is to edit ~/.bazaar/bazaar.conf to look something like this: [DEFAULT] email = My Name <me@example.com> create_signatures = always Now when you run "bzr commit", a signature for the new revision will be stored in the repository. With this configuration change, you will be prompted for your pass phrase when making commits. If you'd prefer not to enter it repeatedly, there are a few options available: install gpg-agent, and use it to remember your pass phrase in the same way you use ssh-agent. install the gnome-gpg wrapper, which lets you remember your pass phrase in your Gnome keyring. To use gnome-gpg, you will need to add an additional configuration value: "gpg_signing_command = gnome-gpg". Signatures are transferred along with revisions when you push or pull a branch, perform merges, etc. How Does It Work? So what does the signature look like, and what does it cover? There is no command for printing out the signatures, but we can access them using bzrlib. As an example, lets look at the signature on the head revision of one of my branches: >>> from bzrlib.branch import Branch >>> b = Branch.open('http://bazaar.launchpad.net/~jamesh/storm/reconnect') >>> b.last_revision() 'james.henstridge@canonical.com-20070920110018-8e88x25tfr8fx3f0' >>> print b.repository.get_signature_text(b.last_revision()) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bazaar-ng testament short form 1 revision-id: james.henstridge@canonical.com-20070920110018-8e88x25tfr8fx3f0 sha1: 467b78c3f8bfe76b222e06c71a8f07fc376e0d7b -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG8lMHAa+T2ZHPo00RAsqjAJ91urHiIcu4Bim7y1tc5WtR+NjvlACgtmdM 9IC0rtNqZQcZ+GRJOYdnYpA= =IONs -----END PGP SIGNATURE----- >>> If we save this signature to a file, we can verify it with a command like "gpg --verify signature.txt" to prove that it was made using my PGP key. Looking at the signed text, we see three lines: An identifier for the checksum algorithm. This is included to future proof old signatures should the need arise to alter the checksum algorithm at a later date. The revision ID that the signature applies to. Note that this is the full globally unique identifier rather than the shorter numeric identifiers that are only unique in the context of an individual branch. The checksum, in SHA1 form. For the…