Hello Junio, thanks for your reply. See my comments below. "Junio C Hamano" <gitster@xxxxxxxxx> writes: > A few random thoughts that come to mind, none of which is > rhetorical [*1*]: > > - What should happen when the timestamping service is unreachable? > The user cannot get her work done at all? A tag is created > without timestamp and with a warning? Something else? If the timestamping service is unreachable, we plan to output a warning and abort the tag creation as a default behavior. However we could create config option to allow the user to create a tag without a signature if the TSA (timestamp authority) is not available. > - Is "signed tag" the only thing that will benefit from such a > certified timestamping mechanism? Would it be worthwhile to > offer a similar support for "signed commit"? This is a good point. We will consider implementing this in signed commits, too. Like in gpg-signed commits, rebases and changes of these commits will not be possible any more without invalidating the timestamp signature. However, the intention behind all this is to be able to verify important steps in development and continue to be able to work and commit without internet connection. Therefore our main focus is on tags with timestamp signatures. > - How would the certified timestamp interact with GPG signing of > the tag? Can they both be applied to the same tag, and if so > what is signed by which mechanism and in what order or are they > done independently and in parallel? E.g. would the timestamp be > done on the contents without GPG signature, and the GPG signature > be done on the contents without timestamp, and both signature > blocks concatenated at the end of the original contents? Both GPG and timestamp signing can be assigned to the same tag. A GPG signature includes the timestamp signature for one important reason: It should not be possible to replace an existing timestamp signature by another (later) timestamp signature. Including the timestamp signature into the GPG signature prevents this. Creating a timestamp signature without any GPG signature at all is therefore possible but would be vulnerable to the described scenario. > - Would it make sense to store the certified timestamp in the > object header part, like the way GPG signature for signed commit > objects are stored [*2*], instead of following the old-style > "signed tag" that concatenates a separate signature at the end? For timestamped commits we will, of course, use the new-style format. We would also new-style format for git tags, leaving the GPG signature as is and creating a timesig-header. However, mixing old-style and new-style format in tag objects would introduce an inconsistency. Is this problematic? Regards, Phillip Raffeck Anton Wuerfel -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html