On Mon, May 07, 2018 at 11:06:50PM +0000, brian m. carlson wrote: > I think my main objection to this series is that it is generic in a way > that isn't necessarily useful. We know there are essentially only two > formats of PEM-style signatures: OpenPGP and CMS[0]. Even if there are > more, they aren't intrinsically useful, because our codebase can only > handle GnuPG-style tools, and those are the only formats GnuPG-style > tools really support (although, as you point out, other tools could > mimic the interface). > > I think if we aren't going to implement some sort of interface that's > generically useful for all signing tools, it would be better to simply > say that we support gpg and gpgsm and have signingtool.gpg.program and > signingtool.gpgsm.program and hard-code the logic for those two formats. > That way we don't have a generic interface that's really only useful for > PEM-style tools, when we know it likely won't be useful for other tools > as well. We can add a more generic interface when we have more varied > tools to support and we know more about what the requirements will be. OK, so my question then is: what does just-gpgsm support look like? Do we literally add gpgsm.program? My thought was that taking us the first step towards a more generic config scheme would prevent us having to backtrack later. There are also more CMS signers than gpgsm (and I know Ben is working on a tool). So it feels a little ugly to make it "gpgsm.program", since it really is a more generic format. Or would you be happy if we just turned the matcher into a whole-line substring or regex match? > This doesn't address Junio's concern about whether adding CMS support is > the right direction to go. I personally think OpenPGP is the right > direction for most open-source projects, but I know some companies want > to use CMS internally and I'm not intrinsically opposed to that[1]. > That decision is ultimately up to Junio, though. My guess is that fragmentation isn't likely to be much of a problem in practice, because the tool choice generally falls along culture/community boundaries. I'd expect that open source projects are never going to choose CMS, because the centralized cert management is awful. But it's exactly what many closed-source enterprises want, and they will literally choose "no signing" over wrestling with PGP. I'd be much more worried about the open source world splitting into "signify" and "gpg" camps or similar. OTOH, I just don't see it as all that big a deal. It's a project decision, and it may even allow for some healthy competition between standards. -Peff