Currently we have ability to verify tags. But it would be greatly beneficial to be able to sign and verify commit messages, with and without gpg signatures.
> git cat-file -p 8daac22021c9f01a68cd81a357679c105cfe034c
tree fa70095586eca8f25721f018f0be68c929fc6a96
parent 7c58b2021a066f1e552deeb37431bc70b6215d62
author Adam Majer <amajer@suse.de> 1688037521 +0200
committer Adam Majer <amajer@suse.de> 1688037540 +0200
testing
Git-EVTag-v0-SHA512: 64ea6fbecfb72fa24936f90d44024d4f98889c76eb07d8027852cfe074aa76e9ee4afdfe72f380391ae9be28cea3734c26beaa5b6876bfefb62debaa8be56ece
Then verification should be done in similar way that GPG verification, where the signature headers are stripped from the commit and then verified. Currently the Git-EVTag-v0-SHA512 header is not stripped from the calculation and this has to happen to make this possible.
Currently we have ability to verify tags. But it would be greatly beneficial to be able to sign and verify commit messages, with and without gpg signatures.
Then verification should be done in similar way that GPG verification, where the signature headers are stripped from the commit and then verified. Currently the
Git-EVTag-v0-SHA512header is not stripped from the calculation and this has to happen to make this possible.