git-commit-vandalism/Documentation/technical/signature-format.txt

Git signature format
====================

== Overview

Git uses cryptographic signatures in various places, currently objects (tags,
commits, mergetags) and transactions (pushes). In every case, the command which
is about to create an object or transaction determines a payload from that,
calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
embeds the signature into the object or transaction.

Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.

The signed payload and the way the signature is embedded depends
on the type of the object resp. transaction.

== Tag signatures

- created by: `git tag -s`
- payload: annotated tag object
- embedding: append the signature to the unsigned tag object
- example: tag `signedtag` with subject `signed tag`

----
object 04b871796dc0420f8e7561a895b52484b701d51a
type commit
tag signedtag
tagger C O Mitter <committer@example.com> 1465981006 +0000

signed tag

signed tag message body
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
=jpXa
-----END PGP SIGNATURE-----
----

- verify with: `git verify-tag [-v]` or `git tag -v`

----
gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
gpg: Good signature from "Eris Discordia <discord@example.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
object 04b871796dc0420f8e7561a895b52484b701d51a
type commit
tag signedtag
tagger C O Mitter <committer@example.com> 1465981006 +0000

signed tag

signed tag message body
----

== Commit signatures

- created by: `git commit -S`
- payload: commit object
- embedding: header entry `gpgsig`
  (content is preceded by a space)
- example: commit with subject `signed commit`

----
tree eebfed94e75e7760540d1485c740902590a00332
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example.com> 1465981137 +0000
committer C O Mitter <committer@example.com> 1465981137 +0000
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1

 iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/
 HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7
 DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA
 zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4
 HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1
 EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=
 =jKHM
 -----END PGP SIGNATURE-----

signed commit

signed commit message body
----

- verify with: `git verify-commit [-v]` (or `git show --show-signature`)

----
gpg: Signature made Wed Jun 15 10:58:57 2016 CEST using RSA key ID B7227189
gpg: Good signature from "Eris Discordia <discord@example.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
tree eebfed94e75e7760540d1485c740902590a00332
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example.com> 1465981137 +0000
committer C O Mitter <committer@example.com> 1465981137 +0000

signed commit

signed commit message body
----
Documentation/technical: describe signature formats We use different types of signature formats in different places. Set up the infrastructure and overview to describe them systematically in our technical documentation. Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-06-17 09:46:08 +02:00			`Git signature format`
			`====================`

			`== Overview`

			`Git uses cryptographic signatures in various places, currently objects (tags,`
			`commits, mergetags) and transactions (pushes). In every case, the command which`
			`is about to create an object or transaction determines a payload from that,`
			calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
			`embeds the signature into the object or transaction.`

			Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
			and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
			produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.

			`The signed payload and the way the signature is embedded depends`
			`on the type of the object resp. transaction.`
Documentation/technical: signed tag format Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-06-17 09:46:09 +02:00
			`== Tag signatures`

			- created by: `git tag -s`
			`- payload: annotated tag object`
			`- embedding: append the signature to the unsigned tag object`
			- example: tag `signedtag` with subject `signed tag`

			`----`
			`object 04b871796dc0420f8e7561a895b52484b701d51a`
			`type commit`
			`tag signedtag`
			`tagger C O Mitter <committer@example.com> 1465981006 +0000`

			`signed tag`

			`signed tag message body`
			`-----BEGIN PGP SIGNATURE-----`
			`Version: GnuPG v1`

			`iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn`
			`rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh`
			`8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods`
			`q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0`
			`rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x`
			`lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=`
			`=jpXa`
			`-----END PGP SIGNATURE-----`
			`----`

			- verify with: `git verify-tag [-v]` or `git tag -v`

			`----`
			`gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189`
			`gpg: Good signature from "Eris Discordia <discord@example.net>"`
			`gpg: WARNING: This key is not certified with a trusted signature!`
			`gpg: There is no indication that the signature belongs to the owner.`
			`Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA 29A4 6109 2E85 B722 7189`
			`object 04b871796dc0420f8e7561a895b52484b701d51a`
			`type commit`
			`tag signedtag`
			`tagger C O Mitter <committer@example.com> 1465981006 +0000`

			`signed tag`

			`signed tag message body`
			`----`
Documentation/technical: signed commit format Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-06-17 09:46:10 +02:00
			`== Commit signatures`

			- created by: `git commit -S`
			`- payload: commit object`
			- embedding: header entry `gpgsig`
			`(content is preceded by a space)`
			- example: commit with subject `signed commit`

			`----`
			`tree eebfed94e75e7760540d1485c740902590a00332`
			`parent 04b871796dc0420f8e7561a895b52484b701d51a`
			`author A U Thor <author@example.com> 1465981137 +0000`
			`committer C O Mitter <committer@example.com> 1465981137 +0000`
			`gpgsig -----BEGIN PGP SIGNATURE-----`
			`Version: GnuPG v1`

			`iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/`
			`HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7`
			`DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA`
			`zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4`
			`HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1`
			`EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=`
			`=jKHM`
			`-----END PGP SIGNATURE-----`

			`signed commit`

			`signed commit message body`
			`----`

			- verify with: `git verify-commit [-v]` (or `git show --show-signature`)

			`----`
			`gpg: Signature made Wed Jun 15 10:58:57 2016 CEST using RSA key ID B7227189`
			`gpg: Good signature from "Eris Discordia <discord@example.net>"`
			`gpg: WARNING: This key is not certified with a trusted signature!`
			`gpg: There is no indication that the signature belongs to the owner.`
			`Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA 29A4 6109 2E85 B722 7189`
			`tree eebfed94e75e7760540d1485c740902590a00332`
			`parent 04b871796dc0420f8e7561a895b52484b701d51a`
			`author A U Thor <author@example.com> 1465981137 +0000`
			`committer C O Mitter <committer@example.com> 1465981137 +0000`

			`signed commit`

			`signed commit message body`
			`----`