[Request for Documentation] Differentiate signed (commits/tags/pushes)
- Date: Mon, 6 Mar 2017 11:59:24 -0800
- From: Stefan Beller <sbeller@xxxxxxxxxx>
- Subject: [Request for Documentation] Differentiate signed (commits/tags/pushes)
When discussing migrating to a new hashing function, I tried to learn
about the subtleties of the different things that can be gpg-signed in
What is the difference between signed commits and tags?
(Not from a technical perspective, but for the end user)
Both of them certify that a given tree is the desired
content for your repository, but git-tag seems to be designed for
conveying a trusted state to collaborators, whereas git-commit
is primarily designed to just record a state.
So in which case would I want to use a signed commit?
(which then overlaps with signed pushes)
A signed push can certify that a given payload (consisting
of multiple commits on possibly multiple branches) was transmitted
to a remote, which can be recorded by the remote as e.g. a proof
The man page of git-commit doesn't discuss gpg signing at all,
git-tag has some discussion on how to properly use tags. Maybe
there we could have a discussion on when not to use tags, but
rather signed commits?
Off list I was told gpg-signed commits are a "checkbox feature",
i.e. no real world workflow would actually use it. (That's a bold
statement, someone has to use it as there was enough interest
to implement it, no?)