Re: [Request for Documentation] Differentiate signed (commits/tags/pushes)
- Date: Mon, 6 Mar 2017 14:52:37 -0800
- From: Stefan Beller <sbeller@xxxxxxxxxx>
- Subject: Re: [Request for Documentation] Differentiate signed (commits/tags/pushes)
On Mon, Mar 6, 2017 at 2:13 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote:
> Stefan Beller <sbeller@xxxxxxxxxx> writes:
>> What is the difference between signed commits and tags?
>> (Not from a technical perspective, but for the end user)
> When you "commit -s", you are signing the bytes in the commit
> object, which means that you are attesting the fact that the tree
> you wanted to record is one of the 47 other colliding tree objects
> that happen to share that 40-hex hash value, and also the fact that
> the commits you wanted to record as its parents have certain SHA-1
> hash values. As you are relying on the resistance to preimage
> attack against SHA-1 at least locally around that signed commit,
> there wouldn't be meaningful difference between a 50-commit series
> each of which is individually signed with "commit -s", such a
> 50-commit series, only the top of which is signed with "commit -s",
> and the same 50-commit series, on the top of which is signed with
> "tag -s".
> "tag -s" also has the benefit of being retroactive. You can create
> commit, think about it for a week and then later tag it. And ask
> others to also tag the same one. You cannot do so with "commit -s".
ok, so there is *no* advantage of signing a commit over tags?
I'll see if I can write a patch that enhances Documentation/git-commit.txt
pointing to git-tag instead.
>> A signed push can certify that a given payload (consisting
>> of multiple commits on possibly multiple branches) was transmitted
>> to a remote, which can be recorded by the remote as e.g. a proof
>> of work.
> A signed push is _NOT_ about certifying the objects in the history
Yes that is my understanding, though I was unclear in writing it.
> I'd agree with that "checkbox" description, [...]
> "commit -s" was a remedy for that.
Out of curiosity: Does (did) such a project exist? Can I read up on that
and their best practices?