On Wed, Oct 3, 2018 at 1:29 AM Michał Górny <mgorny@xxxxxxxxxx> wrote: > > On Fri, 2018-08-17 at 09:34 +0200, Michał Górny wrote: > > GnuPG supports creating signatures consisting of multiple signature > > packets. If such a signature is verified, it outputs all the status > > messages for each signature separately. However, git currently does not > > account for such scenario and gets terribly confused over getting > > multiple *SIG statuses. > > > > For example, if a malicious party alters a signed commit and appends > > a new untrusted signature, git is going to ignore the original bad > > signature and report untrusted commit instead. However, %GK and %GS > > format strings may still expand to the data corresponding > > to the original signature, potentially tricking the scripts into > > trusting the malicious commit. > > > > Given that the use of multiple signatures is quite rare, git does not > > support creating them without jumping through a few hoops, and finally > > supporting them properly would require extensive API improvement, it > > seems reasonable to just reject them at the moment. > > > > Gentle ping. I am not an expert on GPG, but the patch (design, code, test) looks reasonable to me.
