Michael J Gruber <git@xxxxxxxxxxxxxxxxxxxx> writes: > - We don't support verifying push certificates, although they fit in with > git verify-tag. Patch has been submitted, and this series documents the > result already (git verify-tag --blob). > > - We don' support verifying signed merge tags other than by using log/show, > which is not quite fit for scripting. Both true and are good things to tackle, I would think. It would be ideal if we can unify the latter with verification of signed commits. > - We have signature parsing code all over the place, including places that > should probably abstract more, such as tag.c and log-tree.c. Looking forward to see the result of that new abstraction. > - We may want to give more support for deciding about the trustworthiness > of signatures, the same way we export information to receive hooks > in the presence of push certificates. (Give information, don't decide.) Again, true. Thanks for starting this. > Michael J Gruber (5): > Documentation/technical: describe signature formats > Documentation/technical: signed tag format > Documentation/technical: signed commit format > Documentation/technical: signed merge tag format > Documentation/technical: push certificate format > > Documentation/Makefile | 1 + > Documentation/technical/signature-format.txt | 242 +++++++++++++++++++++++++++ > 2 files changed, 243 insertions(+) > create mode 100644 Documentation/technical/signature-format.txt -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html