On 2021-03-05 at 21:53:14, Soni L. wrote: > > > On 2021-03-05 6:44 p.m., brian m. carlson wrote: > > Can you explain what you mean by "cross-signing"? Are you proposing a > > situation where two parties sign the same commit? > > Yep. See, the repos enforce signing, but they can also be forks. If someone > wants to track upstream in one of their branches they just can't. Would be > cool if they could just say they trust the commits by signing the relevant > commits with their own key instead - on the assumption that they actually > reviewed said commits. Git doesn't natively support having multiple signatures in a commit, although it is of course possible to do, since OpenPGP supports it. However, as you noted, changing the signature changes the object ID, so if you re-sign a commit for any reason, that changes the commit ID. There isn't any way around this at all; that's just how it works. So you can either re-sign or have an unchanged commit ID, but not both at the same time. You can use additional empty signed commits or signed tags, or you can use some sort of external system that keeps track of additional signatures or approvals if you want. -- brian m. carlson (he/him or they/them) Houston, Texas, US
Attachment:
signature.asc
Description: PGP signature
