I would prefer a generic mechanism to sign _any_ object, not just tag objects: - Introduce "signature objects" that contains an implementation-specific signature. git doesn't care about the content, as long some script can verify that the signature in the signature object matches the content of the object(s) it references. The "name" of a signature object is the SHA1 hash of the content (=gpg signature, for example). - Referencing signatures in tags makes no sense IMO, because it would require to change the (hash) name of tags when someone else wants to co-sign it later on. I would just distribute two names for that (here is tag xxxxx and its signature is yyyyy). Tags should only contain a symbolic name and the hash of the commit object they point to. - A nice benefit of this is that we could sign unnamed commits (think automatic signing of intermediate commit), or even sign individual files in the tree. Just my 2c. Andreas On Sat, 23 Apr 2005, Fabian Franz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Am Samstag, 23. April 2005 19:31 schrieb Linus Torvalds: > > On Sun, 24 Apr 2005, David Woodhouse wrote: > > > Nah, asking Linus to tag his releases is the most comfortable way. > > > > > The reason I've not done tags yet is that I haven't decided how to do > > them. > > > > commit a2755a80f40e5794ddc20e00f781af9d6320fafb > > tag v2.6.12-rc3 > > signer Linus Torvalds > > > > This is my official original 2.6.12-rc2 release > > > > -----BEGIN PGP SIGNATURE----- > > .... > > -----END PGP SIGNATURE----- > > > > If somebody writes a script to generate the above kind of thing (and tells > > me how to validate it), I'll do the rest, and start tagging things > > properly. Oh, and make sure the above sounds sane (ie if somebody has a > > better idea for how to more easily identify how to find the public key to > > check against, please speak up). > > To generate those you do: > > # cat unsigned_tag > > commit a2755a80f40e5794ddc20e00f781af9d6320fafb > tag v2.6.12-rc3 > signer Linus Torvalds > This is my official original 2.6.12-rc2 release > > # gpg --clearsign < unsigned_tag > signed_tag # gpg will ask here for the > secret key phrase > > To verify you do: > > # gpg --verify < signed_tag > > and check exit status. > > Hope that helps, > > cu > > Fabian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFCaorzI0lSH7CXz7MRAr3QAJ45f2CQTgJ0sYfF9kRyrWHbsazVQQCeMqW7 > HCsah/llt/I8sQ36dlDnRWg= > =Fgq1 > -----END PGP SIGNATURE----- > > - > To unsubscribe from this list: send the line "unsubscribe git" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.htmlReceived on Sun Apr 24 09:17:39 2005
This archive was generated by hypermail 2.1.8 : 2005-04-24 09:17:39 EST