On Fri, Aug 03, 2018 at 09:38:34PM +0000, Tacitus Aedifex wrote: > I'm looking at the existing commit signing and verification > integration and it is all GPG specific. I'm interested in refactoring > the code to have a generic signing/verifying interface so that "drivers" > for other signing tools can be created and other signing tools can be > used (e.g. OpenBSD signify). > [...] > Any other thoughts and/or suggestions?
There's been some work on this lately. See this patch and the response thread: https://public-inbox.org/git/20180409204129.43537-9-mastahy...@gmail.com/ One of the main complaints there was that it was doing just enough to make gpgsm work, and it was unclear if some of the abstractions would be insufficient for something like signify. The more recent work focused on just doing the minimum to provide gpg/gpgsm variants: https://public-inbox.org/git/cover.1531831244.git.henning.sch...@siemens.com/ That replaces the earlier patch series, and is currently merged to the 'next' branch and is on track to get merged to 'master' before Git 2.19 is released. One of the downsides there is that if we eventually move to a generic signing-tool config, we'd have to support two layers of historical abstraction (the original "gpg.program" config, and the new "gpg.<tool>.*" config). So _if_ we knew what it would take to support signify, we could potentially adjust what's going into 2.19 in order to skip straight to the more generic interface. But on the OTOH, it may not be worth rushing, and there is already a vague plan of how the gpg.<tool>.* config would interact with a more generic config. Anyway. Hopefully that gives you a sense of what the current state is, and that work should answer the questions you asked about how to approach the code changes. -Peff
