On Mon, Mar 06, 2017 at 10:39:49AM -0800, Jonathan Tan wrote: > The "nohash" thing was in the hope of requiring only one signature to sign > all the hashes (in all the functions) that the user wants, while preserving > round-tripping ability. Thanks, this explained it very well. I understand the tradeoff now, though I am still of the opinion that simplicity is probably a more important goal. In practice I'd imagine that anybody doing commit-signing would just sign the more-secure hash, and people doing tag releases would probably do a dual-sign to be verifiable by both old and new clients. Those are infrequent enough that the extra computation probably doesn't matter. But that's just my gut feeling. -Peff