René Scharfe <l.s.r@xxxxxx> writes: >> Yes, which is exactly how this (and existing --add-file) makes >> Konstantin's plan much less useful. > People added untracked files to archives before --add-file existed. > > --add-file-with-content could be used to add the .GIT_ARCHIVE_SIG file. > > Additional untracked files would need a manifest to specify which files > are (not) covered by the signed commit/tag. Or the .GIT_ARCHIVE_SIG > files could be added just after the signed files as a rule, before any > other untracked files, as some kind of a separator. Or if people do not _exclude_ tracked files from the archive, then the verifier who has a tarball and a Git tree object can consult the tree object to see which ones are added untracked cruft. > Just listing untracked files and verifying the others might still be > useful. Warning about untracked files shadowing tracked ones would be > very useful. Yup. > Some equivalent to the .GIT_ARCHIVE_SIG file containing a signature of > the untracked files could optionally be added at the end to allow full > verification -- but would require signing at archive creation time. Yeah, and at that point, it is not much more convenient than just signing the whole archive (sans the SIG part, obviously), which is what people have always done ;-)
