Jeff King <peff@xxxxxxxx> writes: > So commit signatures are generally an attestation by the committer, not > by the author. It's just that the two are usually the same when you are > committing locally. > > I think you would need some kind of "author-sig" header that signs the > commit object bytes _without_ the commit header at all. And that assumes > the maintainer's workflow is to never modify a patch in transit, and to > apply it at the exact same spot that you wrote it (so that the parent > and tree ids remain the same). Doesn't it immediately break down once you send a 2-patch series? You may be able to get the bottom one right, but the top one needs to depend on the commit object name of the result of applying the bottom one. It depends on what they are trying to achieve by transferrring with existing signature intact. If they truly want to preserve the validity of the signatures on commits, they are better off exchanging bundles over e-mail, as reviewers and integrators are not even allowed to touch anything.
