> -----Original Message----- > From: ciphershed-bounce@xxxxxxxxxxxxx > [mailto:ciphershed-bounce@xxxxxxxxxxxxx] On Behalf Of Rocki Hack > Sent: Sunday, June 22, 2014 13:35 > To: ciphershed@xxxxxxxxxxxxx > Subject: [ciphershed] Re: Decisions to be made > > > - signatures / warrant canaries > > * sign all commits? > > my suggestion: yes, better save than sorry. > > > Even if you sign all commits you still need to sign the tree > (sha1 merkle hash tree) with a tag. > > It's not the same to sign all commits or a tag. > > Especially if you want to trust the committed files and not > the committer himself. > > > If you trust a contributor and he signs a commit then you > trust his files. > > This is an simple implication but it doesn't mean the exact > same as signing the files with a tag. > > > I quote Linus Torvalds once again... > > "Well, you can (sign commits), but it's always going to be > inferior to just adding a tag. On an old version of git that was true, because the commit message was being signed, not the commit object. Now that the signing is part of the commit logic Example, a commit object in the git database: tree 668ff36f646d49868cc8ce073d153a1d08d81e61 parent 4f7ad8a8f38b06d675ac5196c80b1a26ecbee433 author Jason Pyeron <jpyeron+test3@xxxxxxxx> 1403064519 -0400 committer Jason Pyeron <jpyeron+test3@xxxxxxxx> 1403064519 -0400 gpgsig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAABAgAGBQJToRDHAAoJEA5zQ2VU0OjkxXAH/j8Yai1I5yDIgcx9B8+0Fuuk s+BweJfYxm4O77jpJAKtBWzz0SPflEZHyyDff5ApxaXuM4CbT3vhAXeASJdFKa5H ZgEACcmh9VmZ4N1DTIcmKUUU9vXdQXJWaIcTk+l/6LtWGI71gQtnhK3Kht5a4fVd yQyABJH7vI/kblnxyCmj3RslktujmICyc8B6K1o5x/xNtCA2PKrI0625l0VmAQS+ SuSAnlLTH+Ot1vGsH4R/0Am0aKPemPwG3lgoOKzVkRNjOtN+vlBLad4WCnyAJrJL 6ALgNUTTEXXIJAxJTXD1snpiGwFmwoHqGnMDVyT+1UlXXA8yZwD0sbHZJBjtYwg= =ffok -----END PGP SIGNATURE----- loged signed commit The input to the PGP process for signing is: tree 668ff36f646d49868cc8ce073d153a1d08d81e61 parent 4f7ad8a8f38b06d675ac5196c80b1a26ecbee433 author Jason Pyeron <jpyeron+test3@xxxxxxxx> 1403064519 -0400 committer Jason Pyeron <jpyeron+test3@xxxxxxxx> 1403064519 -0400 loged signed commit Now it contains the tree, parent(s) and the commit message. <snip/> > http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html This has been overcome by events (OBE). -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.