Hi Everybody, I was reading through the Documentation/technical/hash-function-transition.txt doc and realized that the plan is to support allowing BOTH SHA1 and SHA256 signatures to exist in a single object:
Signed Commits 1. using SHA-1 only, as in existing signed commit objects 2. using both SHA-1 and SHA-256, by using both gpgsig-sha256 and gpgsig fields. 3. using only SHA-256, by only using the gpgsig-sha256 field. Signed Tags 1. using SHA-1 only, as in existing signed tag objects 2. using both SHA-1 and SHA-256, by using gpgsig-sha256 and an in-body signature. 3. using only SHA-256, by only using the gpgsig-sha256 field.
The design that I'm working on only supports a single signature that uses a combination of fields: one 'signtype', zero or more 'signoption' and one 'sign' in objects. I am thinking that the best thing to do is replace the gpgsig-sha256 fields in objects and allow old gpgsig (commits) and in-body (tags) signatures to co-exist along side to give the same functionality. That not only paves the way forward but preserves the full backward compatibility that is one of my top requirements. Thoughts? Cheers! Dave
