docs: reflect actual double signature for tags · freshlybakedca.ke/git@d477892

Git fork

docs: reflect actual double signature for tags

The documentation for the hash function transition reflects the original
design where the SHA-256 signature would always be placed in a header.
However, due to a missed patch in Git 2.29, we shipped SHA-256 support
such that the signature for the current algorithm is always an in-body
signature and the opposite algorithm is always in a header. Since the
documentation is inaccurate, update it to reflect the correct
information.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

authored by

brian m. carlson and committed by

Junio C Hamano 5 months ago d477892b 6947ed32

+11 -9

1 changed file

expand all

unified split

Documentation

technical

hash-function-transition.adoc

+11 -9

Documentation/technical/hash-function-transition.adoc

··· 429 429 430 430 Signed Tags 431 431 ~~~~~~~~~~~ 432 - We add a new field "gpgsig-sha256" to the tag object format to allow 433 - signing tags without relying on SHA-1. Its signed payload is the 434 - SHA-256 content of the tag with its gpgsig-sha256 field and "-----BEGIN PGP 435 - SIGNATURE-----" delimited in-body signature removed. 432 + We add new fields "gpgsig" and "gpgsig-sha256" to the tag object format to 433 + allow signing tags in both formats. The in-body signature is used for the 434 + signature in the current hash algorithm and the header is used for the 435 + signature in the other algorithm. Thus, a dual-signature tag will contain both 436 + an in-body signature and a gpgsig-sha256 header for the SHA-1 format of an 437 + object or both an in-body signature and a gpgsig header for the SHA-256 format 438 + of and object. 436 439 437 - This means tags can be signed 440 + The signed payload of the tag is the content of the tag in the current 441 + algorithm with both its gpgsig and gpgsig-sha256 fields and 442 + "-----BEGIN PGP SIGNATURE-----" delimited in-body signature removed. 438 443 439 - 1. using SHA-1 only, as in existing signed tag objects 440 - 2. using both SHA-1 and SHA-256, by using gpgsig-sha256 and an in-body 441 - signature. 442 - 3. using only SHA-256, by only using the gpgsig-sha256 field. 444 + This means tags can be signed using one or both algorithms. 443 445 444 446 Mergetag embedding 445 447 ~~~~~~~~~~~~~~~~~~