gitformat-signature.5 - oasis-root - Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/>

gitformat-signature.5 (11266B)

'\" t
.\"     Title: gitformat-signature
.\"    Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/>
.\"      Date: 2025-03-14
.\"    Manual: Git Manual
.\"    Source: Git 2.49.0
.\"  Language: English
.\"
.TH "GITFORMAT\-SIGNATURE" "5" "2025-03-14" "Git 2\&.49\&.0" "Git Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
gitformat-signature \- Git cryptographic signature formats
.SH "SYNOPSIS"
.sp
.nf
<[tag|commit] object header(s)>
<over\-the\-wire protocol>
.fi
.SH "DESCRIPTION"
.sp
Git uses cryptographic signatures in various places, currently objects (tags, commits, mergetags) and transactions (pushes)\&. In every case, the command which is about to create an object or transaction determines a payload from that, calls an external program to obtain a detached signature for the payload (\fBgpg\fR \fB\-bsa\fR in the case of PGP signatures), and embeds the signature into the object or transaction\&.
.sp
Signatures begin with an "ASCII Armor" header line and end with a tail line, which differ depending on signature type (as selected by \fBgpg\&.format\fR, see \fBgit-config\fR(1))\&. These are, for \fBgpg\&.format\fR values:
.PP
\fBgpg\fR (PGP)
.RS 4
\fB\-\-\-\-\-BEGIN\fR
\fBPGP\fR
\fBSIGNATURE\-\-\-\-\-\fR
and
\fB\-\-\-\-\-END\fR
\fBPGP\fR
\fBSIGNATURE\-\-\-\-\-\fR\&. Or, if gpg is told to produce RFC1991 signatures,
\fB\-\-\-\-\-BEGIN\fR
\fBPGP\fR
\fBMESSAGE\-\-\-\-\-\fR
and
\fB\-\-\-\-\-END\fR
\fBPGP\fR
\fBMESSAGE\-\-\-\-\-\fR
.RE
.PP
\fBssh\fR (SSH)
.RS 4
\fB\-\-\-\-\-BEGIN\fR
\fBSSH\fR
\fBSIGNATURE\-\-\-\-\-\fR
and
\fB\-\-\-\-\-END\fR
\fBSSH\fR
\fBSIGNATURE\-\-\-\-\-\fR
.RE
.PP
\fBx509\fR (X\&.509)
.RS 4
\fB\-\-\-\-\-BEGIN\fR
\fBSIGNED\fR
\fBMESSAGE\-\-\-\-\-\fR
and
\fB\-\-\-\-\-END\fR
\fBSIGNED\fR
\fBMESSAGE\-\-\-\-\-\fR
.RE
.sp
Signatures sometimes appear as a part of the normal payload (e\&.g\&. a signed tag has the signature block appended after the payload that the signature applies to), and sometimes appear in the value of an object header (e\&.g\&. a merge commit that merged a signed tag would have the entire tag contents on its "mergetag" header)\&. In the case of the latter, the usual multi\-line formatting rule for object headers applies\&. I\&.e\&. the second and subsequent lines are prefixed with a SP to signal that the line is continued from the previous line\&.
.sp
This is even true for an originally empty line\&. In the following examples, the end of line that ends with a whitespace letter is highlighted with a \fB$\fR sign; if you are trying to recreate these example by hand, do not cut and paste them\(em\:they are there primarily to highlight extra whitespace at the end of some lines\&.
.sp
The signed payload and the way the signature is embedded depends on the type of the object resp\&. transaction\&.
.SH "TAG SIGNATURES"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
created by:
\fBgit\fR
\fBtag\fR
\fB\-s\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
payload: annotated tag object
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
embedding: append the signature to the unsigned tag object
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
example: tag
\fBsignedtag\fR
with subject
\fBsigned\fR
\fBtag\fR
.RE
.sp
.if n \{\
.RS 4
.\}
.nf
object 04b871796dc0420f8e7561a895b52484b701d51a
type commit
tag signedtag
tagger C O Mitter <committer@example\&.com> 1465981006 +0000
signed tag
signed tag message body
\-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-
Version: GnuPG v1
iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
=jpXa
\-\-\-\-\-END PGP SIGNATURE\-\-\-\-\-
.fi
.if n \{\
.RE
.\}
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
verify with:
\fBgit\fR
\fBverify\-tag\fR
[\fB\-v\fR] or
\fBgit\fR
\fBtag\fR
\fB\-v\fR
.RE
.sp
.if n \{\
.RS 4
.\}
.nf
gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
gpg: Good signature from "Eris Discordia <discord@example\&.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner\&.
Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
object 04b871796dc0420f8e7561a895b52484b701d51a
type commit
tag signedtag
tagger C O Mitter <committer@example\&.com> 1465981006 +0000
signed tag
signed tag message body
.fi
.if n \{\
.RE
.\}
.SH "COMMIT SIGNATURES"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
created by:
\fBgit\fR
\fBcommit\fR
\fB\-S\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
payload: commit object
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
embedding: header entry
\fBgpgsig\fR
(content is preceded by a space)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
example: commit with subject
\fBsigned\fR
\fBcommit\fR
.RE
.sp
.if n \{\
.RS 4
.\}
.nf
tree eebfed94e75e7760540d1485c740902590a00332
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example\&.com> 1465981137 +0000
committer C O Mitter <committer@example\&.com> 1465981137 +0000
gpgsig \-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-
 Version: GnuPG v1
 $
 iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/
 HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7
 DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA
 zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4
 HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1
 EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=
 =jKHM
 \-\-\-\-\-END PGP SIGNATURE\-\-\-\-\-
signed commit
signed commit message body
.fi
.if n \{\
.RE
.\}
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
verify with:
\fBgit\fR
\fBverify\-commit\fR
[\fB\-v\fR] (or
\fBgit\fR
\fBshow\fR
\fB\-\-show\-signature\fR)
.RE
.sp
.if n \{\
.RS 4
.\}
.nf
gpg: Signature made Wed Jun 15 10:58:57 2016 CEST using RSA key ID B7227189
gpg: Good signature from "Eris Discordia <discord@example\&.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner\&.
Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
tree eebfed94e75e7760540d1485c740902590a00332
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example\&.com> 1465981137 +0000
committer C O Mitter <committer@example\&.com> 1465981137 +0000
signed commit
signed commit message body
.fi
.if n \{\
.RE
.\}
.SH "MERGETAG SIGNATURES"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
created by:
\fBgit\fR
\fBmerge\fR
on signed tag
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
payload/embedding: the whole signed tag object is embedded into the (merge) commit object as header entry
\fBmergetag\fR
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
example: merge of the signed tag
\fBsignedtag\fR
as above
.RE
.sp
.if n \{\
.RS 4
.\}
.nf
tree c7b1cff039a93f3600a1d18b82d26688668c7dea
parent c33429be94b5f2d3ee9b0adad223f877f174b05d
parent 04b871796dc0420f8e7561a895b52484b701d51a
author A U Thor <author@example\&.com> 1465982009 +0000
committer C O Mitter <committer@example\&.com> 1465982009 +0000
mergetag object 04b871796dc0420f8e7561a895b52484b701d51a
 type commit
 tag signedtag
 tagger C O Mitter <committer@example\&.com> 1465981006 +0000
 $
 signed tag
 $
 signed tag message body
 \-\-\-\-\-BEGIN PGP SIGNATURE\-\-\-\-\-
 Version: GnuPG v1
 $
 iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
 rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
 8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
 q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
 rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
 lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
 =jpXa
 \-\-\-\-\-END PGP SIGNATURE\-\-\-\-\-
Merge tag \*(Aqsignedtag\*(Aq into downstream
signed tag
signed tag message body
# gpg: Signature made Wed Jun 15 08:56:46 2016 UTC using RSA key ID B7227189
# gpg: Good signature from "Eris Discordia <discord@example\&.net>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner\&.
# Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
.fi
.if n \{\
.RE
.\}
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
verify with: verification is embedded in merge commit message by default, alternatively with
\fBgit\fR
\fBshow\fR
\fB\-\-show\-signature\fR:
.RE
.sp
.if n \{\
.RS 4
.\}
.nf
commit 9863f0c76ff78712b6800e199a46aa56afbcbd49
merged tag \*(Aqsignedtag\*(Aq
gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
gpg: Good signature from "Eris Discordia <discord@example\&.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner\&.
Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
Merge: c33429b 04b8717
Author: A U Thor <author@example\&.com>
Date:   Wed Jun 15 09:13:29 2016 +0000
    Merge tag \*(Aqsignedtag\*(Aq into downstream
    signed tag
    signed tag message body
    # gpg: Signature made Wed Jun 15 08:56:46 2016 UTC using RSA key ID B7227189
    # gpg: Good signature from "Eris Discordia <discord@example\&.net>"
    # gpg: WARNING: This key is not certified with a trusted signature!
    # gpg:          There is no indication that the signature belongs to the owner\&.
    # Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
.fi
.if n \{\
.RE
.\}
.SH "GIT"
.sp
Part of the \fBgit\fR(1) suite