On Fri, Sep 29, 2017 at 10:34:13AM -0700, Jonathan Nieder wrote: > Junio C Hamano wrote: > > Jonathan Nieder <jrnieder@xxxxxxxxx> writes: ... > > If it is a goal to eventually be able to lose SHA-1 compatibility > > metadata from the objects, then we might want to remove SHA-1 based > > signature bits (e.g. PGP trailer in signed tag, gpgsig header in the > > commit object) from NewHash contents, and instead have them stored > > in a side "metadata" table, only to be used while converting back. > > I dunno if that is desirable. > > I don't consider that desirable. > > A SHA-1 based signature is still of historical interest even if my > centuries-newer version of Git is not able to verify it. Agreed, even a signature made by a now exposed and revoked key still has validity. Especially in a commit or merge. We know it was made prior to the key being compromised / revoked. This is assuming that the keyholder can definitively say "Don't trust signatures from this key after this date/time+0000". And the signature in question is in the git history prior to that cut off. Tags are a different animal because they can be added at any time and aren't directly incorporated into the history. thx, Jason.
