From: Junio C Hamano <gitster@pobox.com>
To: Grayson Tinker <graysontinker@gmail.com>
Cc: git@vger.kernel.org, "Patrick Steinhardt" <ps@pks.im>,
"Elijah Newren" <newren@gmail.com>,
"Fabian Stelzer" <fs@gigacodes.de>, "Jeff King" <peff@peff.net>,
"René Scharfe" <l.s.r@web.de>
Subject: Re: [PATCH] gpg-interface: still print ssh signatures when allowed signers file is not set
Date: Thu, 09 Jul 2026 18:59:36 -0700 [thread overview]
Message-ID: <xmqqtsq7haev.fsf@gitster.g> (raw)
In-Reply-To: <20260625194330.3711-1-graysontinker@gmail.com> (Grayson Tinker's message of "Thu, 25 Jun 2026 12:43:11 -0700")
Grayson Tinker <graysontinker@gmail.com> writes:
> "show-signature" errors when the allowed signers file is not configured,
> which means that the user can't see the key that the ref was signed with
> without creating and configuring the file. Change the logic so that the file
> is only used when configured, and so the signature status is always displayed.
>
> Example of previous output:
> ```
> error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
> commit b437db5ddc38ebda223bbae2087eee90a7b1c6e2 (HEAD -> master)
> No signature
> Author: Grayson Tinker <graysontinker@gmail.com>
> ```
>
> Example of new output:
> ```
> commit b437db5ddc38ebda223bbae2087eee90a7b1c6e2 (HEAD -> master)
> hint: Configure gpg.ssh.allowedSignersFile for automatic principal matching
> Good "git" signature with ED25519-SK key SHA256:yTU4KFs/g6MY7biDSlVStB63Gi1rCKg7dOFDXbe0yuw
> Author: Grayson Tinker <graysontinker@gmail.com>
> ```
While I haven't closely looked at the parts of this patch that I did
not quote here, this specific section caught my eye:
> @@ -528,6 +528,10 @@ static int verify_ssh_signed_buffer(struct signature_check *sigc,
> pipe_command(&ssh_keygen, sigc->payload, sigc->payload_len,
> &ssh_keygen_out, 0, &ssh_keygen_err, 0);
>
> + if (!ssh_allowed_signers) {
> + advise(_("Configure gpg.ssh.allowedSignersFile for automatic principal matching\n"));
> + }
If a user runs 'git log --show-signature -100', they will be spammed
with this message 100 times. Because it bypasses the
advise_if_enabled() mechanism, there is no way for them to disable
it.
Since I don't use SSH signing, I'm curious: how common or useful is
it to run log --show-signature without allowedSignersFile
configured? If it serves no purpose at all, then perhaps this
warning is acceptable, as users would have to configure the variable
to get any utility out of the command.
However, doesn't cryptographic verification still provide value on
its own? Even without allowedSignersFile, the signature at least
guarantees the commit content hasn't been modified since it was
signed, even if the signer's identity remains unverified. If some
users rely on this purely cryptographic validation, they probably
won't want to maintain an allowed signers file, and they would
definitely want a way to squelch this repetitive advice.
Thanks.
next prev parent reply other threads:[~2026-07-10 1:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 19:43 [PATCH] gpg-interface: still print ssh signatures when allowed signers file is not set Grayson Tinker
2026-07-09 23:50 ` Grayson Tinker
2026-07-10 1:59 ` Junio C Hamano [this message]
2026-07-10 3:42 ` Grayson Tinker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqtsq7haev.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=fs@gigacodes.de \
--cc=git@vger.kernel.org \
--cc=graysontinker@gmail.com \
--cc=l.s.r@web.de \
--cc=newren@gmail.com \
--cc=peff@peff.net \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox