Congratulations! Missing 3.0.0 tag?

Randall S. Becker rsbecker at nexbridge.com
Thu Sep 9 15:35:32 UTC 2021 

On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote:
>Benjamin Kaduk wrote in
> <20210908233639.GY19992 at akamai.com>:
> |On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote:
> |> But if i use
> |>
> |>   #?0|kent:tls-openssl.git$ alias gl1
> |>   alias gl1='git slpn -1'
> |>   #?0|kent:tls-openssl.git$ git alias|grep slpn
> |>   alias.slpn log --show-signature --patch --find-renames --stat --no-abbr\
> |>   ev-commit
> |>   #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0
> |>   commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl\
> |>   -3.0.0)
> |>   ...
> |>
> |> i do not.  Hm, maybe i need to relearn git again, looking around  |> i see a couple of projects for which this is true (Linux,
|>
>wireguard-tools), for others it is not (my own project, nghttp2).
> |
> |I think (off the top of my head, i.e., without consulting a reference)  |that `git log` (which your aliases end up at) will only
display
>|signatures on commits, but will not show the tag objects themselves.
> |`git show` does display the tag object, and for openssl only the tag  |object is what is signed; the commits themselves are not
signed.
>
>I see.  That is a logical one, thanks for the explanation.
>Sometimes one (Me!  That is.) really would have to drop all entrenched habits, aliases and scripts and do anything anew.  For
example i
>now have learned that "push" also can be signed!  (And yes, i do use commit -S and tag -s for release tags for .. many
>years.)
>
> |-Ben
> --End of <20210908233639.GY19992 at akamai.com>
>
>--steffen

$ git tag --verify openssl-3.0.0
object 89cd17a031e022211684eb7eb41190cf1910f9fa
type commit
tag openssl-3.0.0
tagger Richard Levitte <richard at levitte.org> 1631015200 +0200

OpenSSL 3.0.0 release tag
gpg: Signature made Tue Sep  7 07:46:40 2021 EDT
gpg:                using DSA key A7AF9E78F709453B
gpg: Can't check signature: public key not found

Although I do not have Richard's public key on the system where I ran the command and GitHub is not showing the verification status
of the tag.

-Randall

More information about the openssl-users mailing list