Re: [PATCH v2 0/6] extract algo information from signatures
From: brian m. carlson <hidden>
Date: 2025-06-02 22:17:20
Attachments
- signature.asc [application/pgp-signature] 325 bytes
From: brian m. carlson <hidden>
Date: 2025-06-02 22:17:20
On 2025-05-26 at 10:33:08, Christian Couder wrote:
Around one month ago, I sent a patch that tried to improve on how `git fast-export` handled SSH and X.509 commit signatures: https://lore.kernel.org/git/20250424203904.909777-1-christian.couder@gmail.com/ (local) This patch was showing a single string for the hash algorithm with the following possible values: * "openpgp" for SHA-1 OpenPGP signatures, * "sha256" for SHA-256 OpenPGP signatures, * "x509" for X.509 (GPGSM) signatures, * "ssh", for SSH signatures, * "unknown" for signatures that can't be identified (a warning is emitted). brian m. carlson however replied that it would be better to show two pieces of information instead of one: one for the hash algorithm and one for the protocol.
Actually, what I was saying is that we should have one for the hash algorithm that is used in the Git object. I don't care about the hash algorithm used in OpenPGP, X.509, or OpenSSH (that is, whether it's signed with SHA-512 or SHA-256), but we can have multiple signatures in a single commit such that there's both a SHA-1 signature and a SHA-256 signature. -- brian m. carlson (they/them) Toronto, Ontario, CA