Randall S. Becker wrote in <012201d7a590$56df08d0$049d1a70$@nexbridge.com>: |On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote: |>Benjamin Kaduk wrote in |> <20210908233639.GY19992@xxxxxxxxxx>: |>|On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote: ... |>|I think (off the top of my head, i.e., without consulting a reference) \ |>| |that `git log` (which your aliases end up at) will only |display |>|signatures on commits, but will not show the tag objects themselves. |>|`git show` does display the tag object, and for openssl only the \ |>|tag |object is what is signed; the commits themselves are not |signed. |> |>I see. That is a logical one, thanks for the explanation. ... |$ git tag --verify openssl-3.0.0 Yes yes, ok! But like i said, wouldn't it be nice if at least release commits would be signed also, a.k.a./or when a new branch is created? In Linux for example the merge commits to the master branch are signed, in addition to the tags of the actual releases. It may even be a deja vu and i may have clamoured in the past. ... |Although I do not have Richard's public key on the system where I ran \ |the command and GitHub is not showing the verification status |of the tag. I do not know much about github. In fact i did not even know that the Linux release commits are _not_ signed, because if i look (what do _i_ know from the kernel?) then i only look at master, and there you see signed commits. And since my url= is https i do not actually verify tags. (In fact it is automated and simply diff(1)s in the difference to the version stated in the Makefile in /usr/src/linux/.) But true, the last merge before Linux 5.14 was signed, but the creation of the linux-5.14.y branch not. Ach, forget about the noise, i hope next time i finally have my head turned on before i post :) Thank you. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
