Push Annotated Tag vs. Push Signed Tag
377 views
Skip to first unread message
David Pursehouse
Apr 21, 2015, 6:08:58 AM4/21/15
to repo-d...@googlegroups.com
In Gerrit there are separate permissions for pushing an Annotated Tag
and pushing a Signed Tag.
What is the reason for separating these into two different permissions?
Isn't a signed tag basically the same as an annotated tag, only having a
signature block appended to the message (annotation) part?
and pushing a Signed Tag.
What is the reason for separating these into two different permissions?
Isn't a signed tag basically the same as an annotated tag, only having a
signature block appended to the message (annotation) part?
Sebastian Schuberth
Apr 22, 2015, 7:17:54 AM4/22/15
to repo-d...@googlegroups.com
I think you're probably mixing up (cryptographically) signed tags (git tag -s) with siging-off a commit (git commit -s). The latter really just adds a textual "Signed-off-by:" footer to the commit message whereas the first signs a tag with GnuPG. You can also sign commits with "git commit -S" (upper case S). So as the two are fundamentally different things, having separate permissions for each makes sense.
Regards,
Sebastian
David Pursehouse
Apr 22, 2015, 10:31:51 AM4/22/15
to Sebastian Schuberth, repo-d...@googlegroups.com
On Wed, Apr 22, 2015 at 8:17 PM Sebastian Schuberth <sschu...@gmail.com> wrote:
On Tuesday, April 21, 2015 at 12:08:58 PM UTC+2, David Pursehouse wrote:In Gerrit there are separate permissions for pushing an Annotated Tag
and pushing a Signed Tag.
What is the reason for separating these into two different permissions?
Isn't a signed tag basically the same as an annotated tag, only having a
signature block appended to the message (annotation) part?
I think you're probably mixing up (cryptographically) signed tags (git tag -s) with siging-off a commit (git commit -s).
No, this is nothing to do with signing-off commits.
An annotated tag is made by `git tag -a` and then entering the message when prompted or `git tag -m 'message'`. A signed tag is made with `git tag -s` and optionally the `-a` or `-m` to include a message.
In both cases the structure is the same, but the signed one has the gpg signature appended on the message field.
See the following sequence of commands for example:
The latter really just adds a textual "Signed-off-by:" footer to the commit message whereas the first signs a tag with GnuPG. You can also sign commits with "git commit -S" (upper case S). So as the two are fundamentally different things, having separate permissions for each makes sense.
Regards,
Sebastian
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sebastian Schuberth
Apr 22, 2015, 10:42:11 AM4/22/15
to David Pursehouse, repo-d...@googlegroups.com
On Wed, Apr 22, 2015 at 4:31 PM, David Pursehouse
<david.pu...@gmail.com> wrote:
> In both cases the structure is the same, but the signed one has the gpg
> signature appended on the message field.
Interesting, I wasn't aware that the PGP signuture is indeed just
<david.pu...@gmail.com> wrote:
> In both cases the structure is the same, but the signed one has the gpg
> signature appended on the message field.
added as part of the annotation of a tag just like any other
user-provided annotation via "-a".
But still I think it makes sense to have different permissions for
annotated and signed tags. A project might have the policy that all
release tags on master must be signed, and in that case it's a good
idea to be able to deny pushing of of unsigned tags (annotated or
not).
--
Sebastian Schuberth
David Pursehouse
Apr 22, 2015, 10:42:54 AM4/22/15
to Sebastian Schuberth, repo-d...@googlegroups.com
On Wed, Apr 22, 2015 at 11:31 PM David Pursehouse <david.pu...@gmail.com> wrote:
On Wed, Apr 22, 2015 at 8:17 PM Sebastian Schuberth <sschu...@gmail.com> wrote:On Tuesday, April 21, 2015 at 12:08:58 PM UTC+2, David Pursehouse wrote:In Gerrit there are separate permissions for pushing an Annotated Tag
and pushing a Signed Tag.
What is the reason for separating these into two different permissions?
Isn't a signed tag basically the same as an annotated tag, only having a
signature block appended to the message (annotation) part?
I think you're probably mixing up (cryptographically) signed tags (git tag -s) with siging-off a commit (git commit -s).No, this is nothing to do with signing-off commits.An annotated tag is made by `git tag -a` and then entering the message when prompted or `git tag -m 'message'`. A signed tag is made with `git tag -s` and optionally the `-a` or `-m` to include a message.In both cases the structure is the same, but the signed one has the gpg signature appended on the message field.
And if we look at the code in Gerrit where is checks the push tags permissions [1], we can see this:
// If the tag has a PGP signature, allow a lower level of permission
// than if it doesn't have a PGP signature.
//
if (tag.getFullMessage().contains("-----BEGIN PGP SIGNATURE-----\n")) {
return owner || canPerform(Permission.PUSH_SIGNED_TAG);
} else {
return owner || canPerform(Permission.PUSH_TAG);
}
So my original question still stands: what is the reasoning for having an explicit permission for pushing signed tags?
Oswald Buddenhagen
Apr 23, 2015, 10:10:39 AM4/23/15
to repo-d...@googlegroups.com
On Wed, Apr 22, 2015 at 02:42:51PM +0000, David Pursehouse wrote:
> So my original question still stands: what is the reasoning for having
> an explicit permission for pushing signed tags?
>
to be able to forbid pushing *un*signed tags, i presume.
> So my original question still stands: what is the reasoning for having
> an explicit permission for pushing signed tags?
>
but in either case it makes no sense to have separate permissions for
that; it should be a single enum instead.
Reply all
Reply to author
Forward
0 new messages