On Mon, Jan 18, 2010 at 10:09:46PM -0800, Shawn O. Pearce wrote: > So why is it legal to omit the tagger header from a tag? > > E.g. the Linux kernel tag v2.6.12 has no tagger header: I think you just answered your own question. We must support tagger-less tags because they exist in important projects like the kernel. :) > [...] > Is there a version of Git floating around that doesn't create a > tagger header when creating a signed tag? WTF? Everything prior to c818566 ([PATCH] Update tags to record who made them, 2005-07-14). So probably nothing that anybody is using now, but v2.6.12 was one of the first tags made. > Looking at tag.c's parse_tag_buffer(), the variable sig_line seems > to be expected to point at the "tagger " header (given its name), > but its not actually validated as such. Actually, that variable name predates the patch above, so I suspect "sig" meant "GPG signature". At any rate, as you can see, git doesn't verify it, and the code for "git show v2.6.12" in builtin-log.c:show_object handles the taggerless case as well. I don't think anything else actually looks at the tagger. verify-tag treats the signed data as opaque, and just shows the identity of the actual signer. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html