I'm learning fossil and trying to reproduce a workflow for two people modifying the same source code tree.
So, Alice and Bob both have local repositories of some source code. Both have autosync off. Alice hacks some more, does some commits signing check-ins with her gpg key. This part is fine, as Alice I've managed to generate gpg keys, fossil asked me the key password when commiting. I'm also aware of gpg-agent but don't use it yet, because I'm trying to keep things as simple as possible for now.
Now, at some point Bob pulls changes from Alice's fossil repo. How would he verify Alice's signed check-ins?
Added:
I know that after pulling changes, Bob is able to manually navigate over Alice's check-ins by using 'fossil update ' and do 'gpg --verify manifest' for each of them. What I'm asking for is if fossil has an automated way to check all "foreign" check-ins after a 'fossil pull', before merging changes from other people with content from the local workspace.