On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote: >Benjamin Kaduk wrote in > <20210908233639.GY19992@xxxxxxxxxx>: > |On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: > |> But if i use > |> > |> #?0|kent:tls-openssl.git$ alias gl1 > |> alias gl1='git slpn -1' > |> #?0|kent:tls-openssl.git$ git alias|grep slpn > |> alias.slpn log --show-signature --patch --find-renames --stat --no-abbr\ > |> ev-commit > |> #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 > |> commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl\ > |> -3.0.0) > |> ... > |> > |> i do not. Hm, maybe i need to relearn git again, looking around |> i see a couple of projects for which this is true (Linux, |> >wireguard-tools), for others it is not (my own project, nghttp2). > | > |I think (off the top of my head, i.e., without consulting a reference) |that `git log` (which your aliases end up at) will only display >|signatures on commits, but will not show the tag objects themselves. > |`git show` does display the tag object, and for openssl only the tag |object is what is signed; the commits themselves are not signed. > >I see. That is a logical one, thanks for the explanation. >Sometimes one (Me! That is.) really would have to drop all entrenched habits, aliases and scripts and do anything anew. For example i >now have learned that "push" also can be signed! (And yes, i do use commit -S and tag -s for release tags for .. many >years.) > > |-Ben > --End of <20210908233639.GY19992@xxxxxxxxxx> > >--steffen $ git tag --verify openssl-3.0.0 object 89cd17a031e022211684eb7eb41190cf1910f9fa type commit tag openssl-3.0.0 tagger Richard Levitte <richard@xxxxxxxxxxx> 1631015200 +0200 OpenSSL 3.0.0 release tag gpg: Signature made Tue Sep 7 07:46:40 2021 EDT gpg: using DSA key A7AF9E78F709453B gpg: Can't check signature: public key not found Although I do not have Richard's public key on the system where I ran the command and GitHub is not showing the verification status of the tag. -Randall
