Re: [PATCH] fast-(import|export): improve on the signature algorithm name

[Christian Couder <christian.couder@gmail.com>]

On Fri, Apr 25, 2025 at 12:05 AM brian m. carlson
<sandals@crustytoothpaste.net> wrote:
>
> On 2025-04-24 at 20:39:04, Christian Couder wrote:
> >  Here <alg> specifies which hashing algorithm is used for this
> > -signature, either `sha1` or `sha256`.
> > +signature. Current valid values are:
> > +
> > +* "openpgp" for SHA-1 OpenPGP signatures,
> > +
> > +* "sha256" for SHA-256 OpenPGP signatures,
> > +
> > +* "x509" for X.509 (GPGSM) signatures,
> > +
> > +* "ssh", for SSH signatures,
> > +
> > +* "unknown" for signatures that can't be identified (a warning is
> > +  emitted).
>
> I don't think this is a good set of options.  We can have SHA-1 or
> SHA-256 options for any of the three.  If I create a SHA-256 commit and
> sign it with SSH, then it couldn't be exported with this type.
>
> It is even possible and valid to create a signature over the SHA-1
> content of an object and sign it with one protocol, say, OpenPGP, and
> then create a signature over the SHA-256 content of the object and sign
> it with a different one, such as SSH.  Git does not natively support
> this, but it is possible to do by hand.
>
> These should be separate fields: one for the hash algorithm and one for
> the protocol.

Yeah, I agree that the set of options is not ideal and it would be
better if it was possible to get these two separate fields.

> Alternatively, we can just keep the hash algorithm field
> and parse the protocol by reading the first line, which will differ for
> different protocols.

I am not sure it's easy to get all the information without checking
the signature. I have tried a different approach based on checking the
signature in the v2.

Thanks for the review!