Michael J Gruber <g...@drmicha.warpmail.net> writes:
> A merge commit with embedded signed tag it is, then.
> The commit could carry it's own commit signature, couldn't it?
Yes, an integrator can choose to sign a merge he creates, merging
the work by a contributor who gave him a pull-request for a tag
signed by the contributor. The resulting commit will embed the
contributor's signature to let historians verify the second parent,
as well as the integrator's signature to allow verification of the
merge result. The integrator does not need to keep the signed tag
used as an implementation detail of transferring the signature of
the contributor, and in general such a signed tag used only to
request pulls is not available to the general public and historians
after such a merge is created.
As these signatures are part of a commit object, "git verify-commit"
would be the logical place to validate them, if we were to do so.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html