On Mon, Apr 16, 2018 at 02:05:32PM +0900, Junio C Hamano wrote: > "brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > > > On Tue, Apr 10, 2018 at 04:24:27AM -0400, Eric Sunshine wrote: > >> How confident are we that _all_ possible signing programs will conform > >> to the "-----BEGIN %s-----" pattern? If we're not confident, then > >> perhaps the user should be providing the full string here, not just > >> the '%s' part? > > > > This is not likely to be true of other signing schemes. In fact, other > > than OpenPGP, PEM, and CMS (S/MIME), this is probably not true at all. > > Hmph. > > That argues more strongly that we would regret unless we make the > end-user configuration to at least the whole string (which later can > be promoted to "a pattern that matches the whole string"), not just > the part after mandatory "-----BEGIN ", methinks. Yeah, I think this patch set is "add gpgsm support", which I can see as a valuable goal in and of itself, but I'm not sure the attempt to make it generic is in the right place. If we want to be truly generic, the way to do that is to invoke a helper based on signature type (e.g. git-sign-gpg, git-sign-gpgsm, git-sign-signify) to do the signing and verification. We need not ship these helpers ourselves; interested third-parties can provide them, and we can add configuration to match against regexes for non-built-in types (which is required for many other formats). If we just want to add gpgsm support, that's fine, but we should be transparent about that fact and try to avoid making an interface which is at once too generic and not generic enough. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature