Documentation / technical / signature-format.txton commit Merge branch 'rs/fsck-obj-leakfix' (2d68161)
   1Git signature format
   2====================
   3
   4== Overview
   5
   6Git uses cryptographic signatures in various places, currently objects (tags,
   7commits, mergetags) and transactions (pushes). In every case, the command which
   8is about to create an object or transaction determines a payload from that,
   9calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
  10embeds the signature into the object or transaction.
  11
  12Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
  13and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
  14produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
  15
  16The signed payload and the way the signature is embedded depends
  17on the type of the object resp. transaction.
  18
  19== Tag signatures
  20
  21- created by: `git tag -s`
  22- payload: annotated tag object
  23- embedding: append the signature to the unsigned tag object
  24- example: tag `signedtag` with subject `signed tag`
  25
  26----
  27object 04b871796dc0420f8e7561a895b52484b701d51a
  28type commit
  29tag signedtag
  30tagger C O Mitter <committer@example.com> 1465981006 +0000
  31
  32signed tag
  33
  34signed tag message body
  35-----BEGIN PGP SIGNATURE-----
  36Version: GnuPG v1
  37
  38iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
  39rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
  408tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
  41q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
  42rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
  43lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
  44=jpXa
  45-----END PGP SIGNATURE-----
  46----
  47
  48- verify with: `git verify-tag [-v]` or `git tag -v`
  49
  50----
  51gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
  52gpg: Good signature from "Eris Discordia <discord@example.net>"
  53gpg: WARNING: This key is not certified with a trusted signature!
  54gpg:          There is no indication that the signature belongs to the owner.
  55Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
  56object 04b871796dc0420f8e7561a895b52484b701d51a
  57type commit
  58tag signedtag
  59tagger C O Mitter <committer@example.com> 1465981006 +0000
  60
  61signed tag
  62
  63signed tag message body
  64----
  65
  66== Commit signatures
  67
  68- created by: `git commit -S`
  69- payload: commit object
  70- embedding: header entry `gpgsig`
  71  (content is preceded by a space)
  72- example: commit with subject `signed commit`
  73
  74----
  75tree eebfed94e75e7760540d1485c740902590a00332
  76parent 04b871796dc0420f8e7561a895b52484b701d51a
  77author A U Thor <author@example.com> 1465981137 +0000
  78committer C O Mitter <committer@example.com> 1465981137 +0000
  79gpgsig -----BEGIN PGP SIGNATURE-----
  80 Version: GnuPG v1
  81
  82 iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/
  83 HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7
  84 DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA
  85 zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4
  86 HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1
  87 EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I=
  88 =jKHM
  89 -----END PGP SIGNATURE-----
  90
  91signed commit
  92
  93signed commit message body
  94----
  95
  96- verify with: `git verify-commit [-v]` (or `git show --show-signature`)
  97
  98----
  99gpg: Signature made Wed Jun 15 10:58:57 2016 CEST using RSA key ID B7227189
 100gpg: Good signature from "Eris Discordia <discord@example.net>"
 101gpg: WARNING: This key is not certified with a trusted signature!
 102gpg:          There is no indication that the signature belongs to the owner.
 103Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
 104tree eebfed94e75e7760540d1485c740902590a00332
 105parent 04b871796dc0420f8e7561a895b52484b701d51a
 106author A U Thor <author@example.com> 1465981137 +0000
 107committer C O Mitter <committer@example.com> 1465981137 +0000
 108
 109signed commit
 110
 111signed commit message body
 112----
 113
 114== Mergetag signatures
 115
 116- created by: `git merge` on signed tag
 117- payload/embedding: the whole signed tag object is embedded into
 118  the (merge) commit object as header entry `mergetag`
 119- example: merge of the signed tag `signedtag` as above
 120
 121----
 122tree c7b1cff039a93f3600a1d18b82d26688668c7dea
 123parent c33429be94b5f2d3ee9b0adad223f877f174b05d
 124parent 04b871796dc0420f8e7561a895b52484b701d51a
 125author A U Thor <author@example.com> 1465982009 +0000
 126committer C O Mitter <committer@example.com> 1465982009 +0000
 127mergetag object 04b871796dc0420f8e7561a895b52484b701d51a
 128 type commit
 129 tag signedtag
 130 tagger C O Mitter <committer@example.com> 1465981006 +0000
 131
 132 signed tag
 133
 134 signed tag message body
 135 -----BEGIN PGP SIGNATURE-----
 136 Version: GnuPG v1
 137
 138 iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn
 139 rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh
 140 8tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods
 141 q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0
 142 rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x
 143 lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E=
 144 =jpXa
 145 -----END PGP SIGNATURE-----
 146
 147Merge tag 'signedtag' into downstream
 148
 149signed tag
 150
 151signed tag message body
 152
 153# gpg: Signature made Wed Jun 15 08:56:46 2016 UTC using RSA key ID B7227189
 154# gpg: Good signature from "Eris Discordia <discord@example.net>"
 155# gpg: WARNING: This key is not certified with a trusted signature!
 156# gpg:          There is no indication that the signature belongs to the owner.
 157# Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
 158----
 159
 160- verify with: verification is embedded in merge commit message by default,
 161  alternatively with `git show --show-signature`:
 162
 163----
 164commit 9863f0c76ff78712b6800e199a46aa56afbcbd49
 165merged tag 'signedtag'
 166gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189
 167gpg: Good signature from "Eris Discordia <discord@example.net>"
 168gpg: WARNING: This key is not certified with a trusted signature!
 169gpg:          There is no indication that the signature belongs to the owner.
 170Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
 171Merge: c33429b 04b8717
 172Author: A U Thor <author@example.com>
 173Date:   Wed Jun 15 09:13:29 2016 +0000
 174
 175    Merge tag 'signedtag' into downstream
 176
 177    signed tag
 178
 179    signed tag message body
 180
 181    # gpg: Signature made Wed Jun 15 08:56:46 2016 UTC using RSA key ID B7227189
 182    # gpg: Good signature from "Eris Discordia <discord@example.net>"
 183    # gpg: WARNING: This key is not certified with a trusted signature!
 184    # gpg:          There is no indication that the signature belongs to the owner.
 185    # Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA  29A4 6109 2E85 B722 7189
 186----