Re: Author signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2024-05-14 at 18:31:55, Dimitri Sabadie wrote:
> With the email workflow, from what I understand, `git am` has no way to
> keep the signature of the author — and I have not found anything going
> that direction with `git send-email` and `git format-patch`, and I think
> that the reason why is because the commit is modified to introduce the
> committer (committer being me here; the author being the contributor who
> sent the patch), whence the commit SHA changes. The author signature is
> simply dropped, and `git log --show-signature` only shows my GPG
> signature; not the author’s anymore!

`git send-email` does not send a signature, correct.  I've proposed an
approach to add such a signature in the past as part of a more general
series, but it hasn't been implemented.

> So… I was wondering: since we can only sign commits, is there any
> way / work in progress to attach the author signature to a commit? To
> me, it would make sense to have something hierarchical: the comitter
> simply signs above what the author signed, and the author doesn’t sign
> the whole commit (I guess?), since we want to be able to change the
> commit hash.

This is a great question.  I have seen previous requests for author and
committer signatures, or in general, multiple signatures (such as with
co-authors).  Git has only one signature field (well, two if you could
the one for the SHA-1 encoding and the SHA-256 encoding), but OpenPGP
does allow multiple signatures to be embedded in one ASCII-armored blob.

So it is in theory possible to take the author signature and _add_ a
committer signature and have both be valid, although this will change
the object ID of the commit.  However, Git doesn't support that right
now, although there's no reason it couldn't be added for OpenPGP.  I
don't know whether it's possible for X.509 to have multiple signatures,
and I don't get the impression that OpenSSH supports it (but haven't
checked).

I was doing some test work on this within the past week, and I have a
vague desire to implement such a thing, but no definitive plans at the
moment.
-- 
brian m. carlson (they/them or he/him)
Toronto, Ontario, CA

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux