On Tue, 20 Apr 2021 17:07:09 -0600, brian m. carlson wrote: > On 2021-04-20 at 17:15:25, Luke Shumaker wrote: > > I don't believe that's true? With SHA-1-signed tags, the signature > > gets included in the fast-import stream as part of the tag message > > (the `data` line in the BNF). Since SHA-256-signed tags have their > > signature as a header (rather than just appending it to the message), > > we'd have to add a 'gpgsig' sub-command to the 'tag' top-level-command > > (like I've done to the 'commit' top-level-command). > > If you're using a repository that's SHA-1, then the tag signature that's > part of the message is a signature over the SHA-1 contents of the > object, and the gpgsig-sha256 header is a signature over the SHA-256 > contents of the object. If you're using a repository that's SHA-256, > it's reversed: the signature at the end of the message covers the > SHA-256 contents of the object and the gpgsig header covers the SHA-1 > contents. Good to know! It seems I've been mislead by Documentation/technical/hash-function-transition.txt > Not implementing this means the CI will fail when the testsuite is run > in SHA-256 mode, so your patch probably won't be accepted. Gotcha. I guess I will be implementing it then. I'll let you know if I have any further questions, the information you've given already has been very helpful! -- Happy hacking, ~ Luke Shumaker
