Re: Signing commits and tags differently

["brian m. carlson" <sandals@crustytoothpaste.net>]

[-- Attachment #1: Type: text/plain, Size: 1772 bytes --]

On 2025-08-12 at 15:18:19, Andrea Pappacoda wrote:
> Hi all!

Hi,

> I would like to configure Git to automatically sign commits using SSH keys,
> while using OpenPGP when creating signed tags. As far as I can tell, this
> isn't currently possible.

I agree this isn't possible with the default commands, although you
could solve with with an alias (such as `alias.signed-tag="!f() { git -c
gpg.format=openpgp tag "$@"; };f"`).

I'm interested to hear more about your use case for this split, since
it's the first time I've heard about someone wanting to do this.

> What I was thinking about were a couple of options like commit.gpg.format
> and tag.gpg.format, as we already have commit.gpgSign and tag.gpgSign. Of
> course, differently namespaced options like gpg.tag.format would work too.
> 
> What do you think? Does this make any sense to you? Let me know!

I don't have a strong opinion about adding this feature or not
(especially since I don't know about your use case), but I think if this
feature were implemented we'd need to have the format options default to
the current config option to not regress functionality for existing
users.

There's also the issue that this makes verification more difficult.
After all, you sign the data once, but presumably the data is verified
many times by many different users (or software acting on their behalf,
such as a forge).  That means that we'd either need to autodetect the
signature and invoke the right tool (which we may already do) or every
individual user would need to have the appropriate configuration set up
for both.

Again, no strong opinions here, just thoughts about what an
implementation might look like.
-- 
brian m. carlson (they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]