On Tue, May 14, 2024 at 07:51:52PM GMT, brian m. carlson wrote: > > So… I was wondering: since we can only sign commits, is there any > > way / work in progress to attach the author signature to a commit? To > > me, it would make sense to have something hierarchical: the comitter > > simply signs above what the author signed, and the author doesn’t sign > > the whole commit (I guess?), since we want to be able to change the > > commit hash. > > This is a great question. I have seen previous requests for author and > committer signatures, or in general, multiple signatures (such as with > co-authors). Git has only one signature field (well, two if you could > the one for the SHA-1 encoding and the SHA-256 encoding), but OpenPGP > does allow multiple signatures to be embedded in one ASCII-armored > blob. It's worth noting the gittuf work that was recently profiled on LWN [1]. It does already integrate the concept of multiple signatures via in-toto attestations [2]. I feel like it's a better approach than overloading the currently implemented signature support. -K [1]: https://lwn.net/Articles/973217/ [2]: https://github.com/gittuf/gittuf/blob/main/docs/design-document.md#attestations
