Re: Adding RFC 3161 timestamps to git tags

["Anton Wuerfel" <anton.wuerfel@fau.de>]

Hello Junio,

thanks for your reply. See my comments below.

"Junio C Hamano" <gitster@pobox.com> writes:

> A few random thoughts that come to mind, none of which is
> rhetorical [*1*]:
>
>  - What should happen when the timestamping service is unreachable?
>    The user cannot get her work done at all?  A tag is created
>    without timestamp and with a warning?  Something else?

If the timestamping service is unreachable, we plan to output a warning
and abort the tag creation as a default behavior. However we could create
config option to allow the user to create a tag without a signature if the
TSA (timestamp authority) is not available.


>  - Is "signed tag" the only thing that will benefit from such a
>    certified timestamping mechanism?  Would it be worthwhile to
>    offer a similar support for "signed commit"?

This is a good point. We will consider implementing this in signed
commits, too. Like in gpg-signed commits, rebases and changes of these
commits will not be possible any more without invalidating the timestamp
signature. However, the intention behind all this is to be able to verify
important steps in development and continue to be able to work and commit
without internet connection. Therefore our main focus is on tags with
timestamp signatures.


>  - How would the certified timestamp interact with GPG signing of
>    the tag?  Can they both be applied to the same tag, and if so
>    what is signed by which mechanism and in what order or are they
>    done independently and in parallel?  E.g. would the timestamp be
>    done on the contents without GPG signature, and the GPG signature
>    be done on the contents without timestamp, and both signature
>    blocks concatenated at the end of the original contents?

Both GPG and timestamp signing can be assigned to the same tag. A GPG
signature includes the timestamp signature for one important reason: It
should not be possible to replace an existing timestamp signature by
another (later) timestamp signature. Including the timestamp signature
into the GPG signature prevents this.
Creating a timestamp signature without any GPG signature at all is
therefore possible but would be vulnerable to the described scenario.


>  - Would it make sense to store the certified timestamp in the
>    object header part, like the way GPG signature for signed commit
>    objects are stored [*2*], instead of following the old-style
>    "signed tag" that concatenates a separate signature at the end?

For timestamped commits we will, of course, use the new-style format. We
would also new-style format for git tags, leaving the GPG signature as is
and creating a timesig-header. However, mixing old-style and new-style
format in tag objects would introduce an inconsistency. Is this
problematic?

Regards,
Phillip Raffeck
Anton Wuerfel