"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > This series introduces support for verifying commits and tags signed by > multiple algorithms. > > Originally, we had planned for SHA-256 tags to stuff the signature in a > header instead of using a trailing signature, and a patch to do that was > sent out in part 1/3. Unfortunately, for whatever reason, that patch > didn't make it into the master branch, and so we use trailing signatures > there. > > We can't change this now, because otherwise it would be ambiguous > whether the trailing signature on a SHA-256 object was for the SHA-256 > contents or whether the contents were a rewritten SHA-1 object with no > SHA-256 signature at all. How widely are SHA-256 tags in use in the real world, though? Is it really too late to fix that already?
