1Git signature format 2==================== 3 4== Overview 5 6Git uses cryptographic signatures in various places, currently objects (tags, 7commits, mergetags) and transactions (pushes). In every case, the command which 8is about to create an object or transaction determines a payload from that, 9calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and 10embeds the signature into the object or transaction. 11 12Signatures always begin with `-----BEGIN PGP SIGNATURE-----` 13and end with `-----END PGP SIGNATURE-----`, unless gpg is told to 14produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`. 15 16The signed payload and the way the signature is embedded depends 17on the type of the object resp. transaction. 18 19== Tag signatures 20 21- created by: `git tag -s` 22- payload: annotated tag object 23- embedding: append the signature to the unsigned tag object 24- example: tag `signedtag` with subject `signed tag` 25 26---- 27object 04b871796dc0420f8e7561a895b52484b701d51a 28type commit 29tag signedtag 30tagger C O Mitter <committer@example.com> 1465981006 +0000 31 32signed tag 33 34signed tag message body 35-----BEGIN PGP SIGNATURE----- 36Version: GnuPG v1 37 38iQEcBAABAgAGBQJXYRhOAAoJEGEJLoW3InGJklkIAIcnhL7RwEb/+QeX9enkXhxn 39rxfdqrvWd1K80sl2TOt8Bg/NYwrUBw/RWJ+sg/hhHp4WtvE1HDGHlkEz3y11Lkuh 408tSxS3qKTxXUGozyPGuE90sJfExhZlW4knIQ1wt/yWqM+33E9pN4hzPqLwyrdods 41q8FWEqPPUbSJXoMbRPw04S5jrLtZSsUWbRYjmJCHzlhSfFWW4eFd37uquIaLUBS0 42rkC3Jrx7420jkIpgFcTI2s60uhSQLzgcCwdA2ukSYIRnjg/zDkj8+3h/GaROJ72x 43lZyI6HWixKJkWw8lE9aAOD9TmTW9sFJwcVAzmAuFX2kUreDUKMZduGcoRYGpD7E= 44=jpXa 45-----END PGP SIGNATURE----- 46---- 47 48- verify with: `git verify-tag [-v]` or `git tag -v` 49 50---- 51gpg: Signature made Wed Jun 15 10:56:46 2016 CEST using RSA key ID B7227189 52gpg: Good signature from "Eris Discordia <discord@example.net>" 53gpg: WARNING: This key is not certified with a trusted signature! 54gpg: There is no indication that the signature belongs to the owner. 55Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA 29A4 6109 2E85 B722 7189 56object 04b871796dc0420f8e7561a895b52484b701d51a 57type commit 58tag signedtag 59tagger C O Mitter <committer@example.com> 1465981006 +0000 60 61signed tag 62 63signed tag message body 64---- 65 66== Commit signatures 67 68- created by: `git commit -S` 69- payload: commit object 70- embedding: header entry `gpgsig` 71 (content is preceded by a space) 72- example: commit with subject `signed commit` 73 74---- 75tree eebfed94e75e7760540d1485c740902590a00332 76parent 04b871796dc0420f8e7561a895b52484b701d51a 77author A U Thor <author@example.com> 1465981137 +0000 78committer C O Mitter <committer@example.com> 1465981137 +0000 79gpgsig -----BEGIN PGP SIGNATURE----- 80 Version: GnuPG v1 81 82 iQEcBAABAgAGBQJXYRjRAAoJEGEJLoW3InGJ3IwIAIY4SA6GxY3BjL60YyvsJPh/ 83 HRCJwH+w7wt3Yc/9/bW2F+gF72kdHOOs2jfv+OZhq0q4OAN6fvVSczISY/82LpS7 84 DVdMQj2/YcHDT4xrDNBnXnviDO9G7am/9OE77kEbXrp7QPxvhjkicHNwy2rEflAA 85 zn075rtEERDHr8nRYiDh8eVrefSO7D+bdQ7gv+7GsYMsd2auJWi1dHOSfTr9HIF4 86 HJhWXT9d2f8W+diRYXGh4X0wYiGg6na/soXc+vdtDYBzIxanRqjg8jCAeo1eOTk1 87 EdTwhcTZlI0x5pvJ3H0+4hA2jtldVtmPM4OTB0cTrEWBad7XV6YgiyuII73Ve3I= 88 =jKHM 89 -----END PGP SIGNATURE----- 90 91signed commit 92 93signed commit message body 94---- 95 96- verify with: `git verify-commit [-v]` (or `git show --show-signature`) 97 98---- 99gpg: Signature made Wed Jun 15 10:58:57 2016 CEST using RSA key ID B7227189 100gpg: Good signature from "Eris Discordia <discord@example.net>" 101gpg: WARNING: This key is not certified with a trusted signature! 102gpg: There is no indication that the signature belongs to the owner. 103Primary key fingerprint: D4BE 2231 1AD3 131E 5EDA 29A4 6109 2E85 B722 7189 104tree eebfed94e75e7760540d1485c740902590a00332 105parent 04b871796dc0420f8e7561a895b52484b701d51a 106author A U Thor <author@example.com> 1465981137 +0000 107committer C O Mitter <committer@example.com> 1465981137 +0000 108 109signed commit 110 111signed commit message body 112----