On Fri, Oct 07, 2011 at 10:40:30AM +0200, Michael J Gruber wrote: > [readding JCH to cc whom you dropped] > Robin H. Johnson venit, vidit, dixit 07.10.2011 00:24: > > On Wed, Oct 05, 2011 at 05:56:55PM -0700, Junio C Hamano wrote: > >> And this uses the gpg-interface.[ch] to allow signing the commit, i.e. > >> > >> $ git commit --gpg-sign -m foo > >> You need a passphrase to unlock the secret key for > >> user: "Junio C Hamano <gitster@xxxxxxxxx>" > >> 4096-bit RSA key, ID 96AFE6CB, created 2011-10-03 (main key ID 713660A7) > >> > >> [master 8457d13] foo > >> 1 files changed, 1 insertions(+), 0 deletions(-) > > I like it, but I have a couple of questions: > > 1. Are the sig lines used in computed SHA1/commitid of a given commit (I > > see examples w/ --amend and that would usually change the SHA1)? > Yes, just like with tag objects. Ok, at the core, this is going to pose a problem with multiple signatures. Workflow example: 1. Dev1 creates a commit, signs it, pushes to central repo. 2. Dev2 pulls, signs the tip commit, pushes it back. Since signing model here actually alters the commit, the push by Dev2 loses the history point of a commit with only a single signature, like if somebody pushes a rewritten history (which should usually be prohibited). The push certificate variant of signing does permit this case without breaking history. > > I think this isn't a replacement for push certificates, but has value in > > itself. It's certainly provides better integration than the > > signature-in-note variants. > > > > I do think it's meant as an implementation of push certificates. I don't > see any other value in it which could not be achieved by signed tags. > Can you describe any? Identify of the committer for verification. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html