In some cases I will be using a system that does not have gpg installed and I do not want to take the time the set it up and get the pub key installed. I would like to just view the signature on the commit and copy it to another system to validate it. I can not seem to find a way to view the signature with out gpg being installed. Git only gives an error the gpg is not installed when ever I try to use any of the git commands to view it.
Is there a way to view git pgp signed commits with the pgp signature in tacked without having gpg installed on the system?
I have been looking everywhere for an answer to this and have not found anything of use. Thanks for any help or pointers you can provide.
Is there a way to view git pgp signed commits with the pgp signature in tacked without having gpg installed on the system?
I wouldn't expect so. If you want to see details, you're required to at least have a parser for reading the OpenPGP packets and a full implementation for fetching information from the keys belonging to the; GnuPG is pretty much the only relevant free software OpenGP implementation (apart from maybe libraries for the Go language and Bouncy Castle for Java/C#). While there is a stripped-down implementation gpgv for only validating signatures, it is not interfaced by git and you'd have to install additional software (a stripped-down GnuPG package), anyway.
Furthermore, OpenPGP signatures do not include the certificate (public key). To actually view the signatures, you'd have to fetch them -- also something performed by GnuPG. Finally, to actually verify the signatures on another device, you'd not only need the signatures, but also the signed-off data (thus, the git catalogue).
I'm surprised there is a Linux distribution not having GnuPG installed by default, most package managers use it to verify packages, and it should be available in pretty much all distributions' software repositories.
I unsuccessfully tried a hack for exporting/dumping the signatures git wants to verify (a script named gpg in the $PATH dumping input), but it looks like git is doing some further checks or communication.