Is there a common location for a user’s public GPG key on Hugging Face? For instance, on GitHub, public keys are located at https://github.com/[username].gpg (e.g., https://github.com/tschorlemmer.gpg). This would be helpful for verifying commit signatures outside of the web UI.
Hi, we don’t have this feature at the moment, though we’ve discussed it in the past. How would you use it exactly to verify commits locally? (which command)
The built in git verify-commit command. Currently, if you do this there is a mismatch between the web UI’s commit status (verified, unverified, etc.) and what you get from running that command locally since some public keys aren’t discoverable.
1 Like
OK. We will let you know here if we build this feature. No ETA yet.
1 Like
Is there any update on this feature. We want to verify signature of downloaded model files (which are with verified tag) and without public GPG key of the user we cannot do it. Let me know if any other way to do signature validation of downloaded files.
1 Like
Hmm… This feature?
Thank you for reply! Yes one can sign commit, but how one can verify once we download the file from repo? As there is no signature file or public Key of developer signing commit is available to validate it like this
gpg --verify [signature-file] [file]
1 Like
It doesn’t seem to be there yet…
1 Like