Re: Git-commits mailing list feed.
From: Andreas Gal <hidden>
Date: 2016-06-15 22:41:54
I would prefer a generic mechanism to sign _any_ object, not just tag objects: - Introduce "signature objects" that contains an implementation-specific signature. git doesn't care about the content, as long some script can verify that the signature in the signature object matches the content of the object(s) it references. The "name" of a signature object is the SHA1 hash of the content (=gpg signature, for example). - Referencing signatures in tags makes no sense IMO, because it would require to change the (hash) name of tags when someone else wants to co-sign it later on. I would just distribute two names for that (here is tag xxxxx and its signature is yyyyy). Tags should only contain a symbolic name and the hash of the commit object they point to. - A nice benefit of this is that we could sign unnamed commits (think automatic signing of intermediate commit), or even sign individual files in the tree. Just my 2c. Andreas On Sat, 23 Apr 2005, Fabian Franz wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Samstag, 23. April 2005 19:31 schrieb Linus Torvalds:quoted
On Sun, 24 Apr 2005, David Woodhouse wrote:quoted
Nah, asking Linus to tag his releases is the most comfortable way.The reason I've not done tags yet is that I haven't decided how to do them. commit a2755a80f40e5794ddc20e00f781af9d6320fafb tag v2.6.12-rc3 signer Linus Torvalds This is my official original 2.6.12-rc2 release -----BEGIN PGP SIGNATURE----- .... -----END PGP SIGNATURE----- If somebody writes a script to generate the above kind of thing (and tells me how to validate it), I'll do the rest, and start tagging things properly. Oh, and make sure the above sounds sane (ie if somebody has a better idea for how to more easily identify how to find the public key to check against, please speak up).To generate those you do: # cat unsigned_tag commit a2755a80f40e5794ddc20e00f781af9d6320fafb tag v2.6.12-rc3 signer Linus Torvalds This is my official original 2.6.12-rc2 release # gpg --clearsign < unsigned_tag > signed_tag # gpg will ask here for the secret key phrase To verify you do: # gpg --verify < signed_tag and check exit status. Hope that helps, cu Fabian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCaorzI0lSH7CXz7MRAr3QAJ45f2CQTgJ0sYfF9kRyrWHbsazVQQCeMqW7 HCsah/llt/I8sQ36dlDnRWg= =Fgq1 -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html