Michael J Gruber <git@xxxxxxxxxxxxxxxxxxxx> writes: > A merge commit with embedded signed tag it is, then. > > The commit could carry it's own commit signature, couldn't it? Yes, an integrator can choose to sign a merge he creates, merging the work by a contributor who gave him a pull-request for a tag signed by the contributor. The resulting commit will embed the contributor's signature to let historians verify the second parent, as well as the integrator's signature to allow verification of the merge result. The integrator does not need to keep the signed tag used as an implementation detail of transferring the signature of the contributor, and in general such a signed tag used only to request pulls is not available to the general public and historians after such a merge is created. As these signatures are part of a commit object, "git verify-commit" would be the logical place to validate them, if we were to do so. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html