From: Klaus Frank <vger.kernel.org@frank.fyi>
To: m@lfurio.us, git@vger.kernel.org
Subject: Re: How to gpg signed email patches?
Date: Sun, 13 Apr 2025 23:12:14 +0000 [thread overview]
Message-ID: <fba4f0a0-3ca8-455c-bfb8-70118de89fad@frank.fyi> (raw)
In-Reply-To: <D95V0Z9YMEX2.3J99CE4F6ZP8S@lfurio.us>
On 2025-04-14 00:21:46, Matt Hunter wrote:
> Hi
> There's a conceptual issue with mailing patches from signed commits.
> Once your patch recipient goes to apply it to their branch, they are
> recorded as the "committer" identity of the new commit object. This
> would break the validity of any existing signature.
You're right on that part. However even though it would be nice to
get the signed commit into the public repo my main focus here was
more to ensure integrity and authenticity until it is processed by
the project maintainers. E.g. it didn't get mangled by some thing on
the way and I wasn't impersonated by someone else. E.g. I was
mainly focusing on allowing the ones accepting my patch to know it
is from me and it hasn't been tampered with on the way. E.g. by a mail
server screwing with the mail content or some middle box that inserted
or rewrote parts of the message...
> This is likely the reason by the related git tools (format-patch, am)
> ignore this information.
Ok, how do others deal with that scenario then? Not an issue?
> You may have also noticed that commands like git-rebase and
> git-cherry-pick will drop signatures from commits as well, since they
> are being replayed onto a different history, changing the commit data.
True, but thouse commands to not pass information through a
lossy and "tampery" media like email. It stays local. My main focus
was on the transfer from my git repo to the (git repo of) other
devs on the project. And lesser on it being preserved after the
merge.
When a project uses a forge like github or gitlab this is basically
not such an issue because of TLS and having to have a
user account on it (and it preserving the pgp signature up until the
last click before being merged in)
next prev parent reply other threads:[~2025-04-13 23:12 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-13 19:17 How to gpg signed email patches? Klaus Frank
2025-04-13 22:21 ` Matt Hunter
2025-04-13 23:12 ` Klaus Frank [this message]
2025-04-14 16:34 ` Junio C Hamano
2025-04-13 22:52 ` brian m. carlson
2025-04-14 0:23 ` Klaus Frank
2025-04-14 0:48 ` brian m. carlson
2025-04-14 19:12 ` Junio C Hamano
2025-04-14 1:34 ` Konstantin Ryabitsev
2025-04-14 15:14 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fba4f0a0-3ca8-455c-bfb8-70118de89fad@frank.fyi \
--to=vger.kernel.org@frank.fyi \
--cc=git@vger.kernel.org \
--cc=m@lfurio.us \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).