Hello, On Thu 20 Feb 2025 at 09:40am -07, Sam Hartman wrote:
>>>>>> "Ian" == Ian Jackson <ijack...@chiark.greenend.org.uk> writes:
>
> Ian> Sean Whitton writes ("Bug#1091868: debian-policy: Document
> Ian> Git-Tag-Tagger and Git-Tag-Info fields"):
> >> Package: debian-policy X-debbugs-cc:
> >> ijack...@chiark.greenend.org.uk
>
> >> From: Sean Whitton <spwhit...@spwhitton.name>
> Ian> ...
> >> +.. _s-f-Git-Tag-Info: + +``Git-Tag-Info`` +~~~~~~~~~~~~~~~~ +
> >> +Other information about the Git tag from which this upload was
> >> generated (a\
> Ian> nd
> >> +to which it corresponds) in accordance with the tagging protocol
> >> described \
> Ian> in
> >> +the :manpage:`tag2upload(5)` manual page. + +The value is of
> >> the form ``tag=TAGOBJID fp=FINGERPRINT`` where ``TAGOBJID``\
> Ian> is
> >> +the Git object ID of the Git tag object, and ``FINGERPRINT`` is
> >> the +fingerprint (in hexadecimal, without spaces) of the PGP key
> >> used to sign the +Git tag.
>
> Is that the primary fingerprint or the fingerprint of the subkey?
> I'd prefer that we be explicit.
It's from the VALIDSIG line as documented here:
<https://github.com/gpg/gnupg/blob/master/doc/DETAILS>.
The text there doesn't guarantee that the fingerprint will be the
signing subkey, if there is one, but somewhat implies that it will be.
I'm not sure we want to tie ourselves down in the way that you are
suggesting. What do you think, Ian
--
Sean Whitton
signature.asc
Description: PGP signature
