On Tue, Apr 10, 2018 at 04:24:27AM -0400, Eric Sunshine wrote: > How confident are we that _all_ possible signing programs will conform > to the "-----BEGIN %s-----" pattern? If we're not confident, then > perhaps the user should be providing the full string here, not just > the '%s' part? This is not likely to be true of other signing schemes. In fact, other than OpenPGP, PEM, and CMS (S/MIME), this is probably not true at all. I know OpenBSD's signify has no wrappers (except a mandatory "untrusted comment:" line at the beginning). There wouldn't be a way to match such a signature unless we implemented prefix or regex support. It's currently possible to hack other signatures in with wrappers if they wrap the actual signature in OpenPGP-like armor; someone (I believe Eric Wong) has gotten this to work with signify. I only mention signify because other than OpenPGP and CMS, it's the only scheme I've seen people use with Git. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature
