On 2025-04-24 at 20:39:04, Christian Couder wrote: > Here <alg> specifies which hashing algorithm is used for this > -signature, either `sha1` or `sha256`. > +signature. Current valid values are: > + > +* "openpgp" for SHA-1 OpenPGP signatures, > + > +* "sha256" for SHA-256 OpenPGP signatures, > + > +* "x509" for X.509 (GPGSM) signatures, > + > +* "ssh", for SSH signatures, > + > +* "unknown" for signatures that can't be identified (a warning is > + emitted). I don't think this is a good set of options. We can have SHA-1 or SHA-256 options for any of the three. If I create a SHA-256 commit and sign it with SSH, then it couldn't be exported with this type. It is even possible and valid to create a signature over the SHA-1 content of an object and sign it with one protocol, say, OpenPGP, and then create a signature over the SHA-256 content of the object and sign it with a different one, such as SSH. Git does not natively support this, but it is possible to do by hand. These should be separate fields: one for the hash algorithm and one for the protocol. Alternatively, we can just keep the hash algorithm field and parse the protocol by reading the first line, which will differ for different protocols. -- brian m. carlson (they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
