Congratulations! Missing 3.0.0 tag?

Steffen Nurpmeso steffen at
Wed Sep 8 23:03:28 UTC 2021

Benjamin Kaduk wrote in
 <20210908222248.GX19992 at>:
 |On Thu, Sep 09, 2021 at 12:15:44AM +0200, Steffen Nurpmeso wrote:
 |> P.S.: maybe at least release commits and tags could be signed?
 |> And/or HTTPS access to the repository ... but then i get the gut
 |> feeling that the answer to this will be "use github" or something.
 |tag openssl-3.0.0
 |Tagger: Richard Levitte <richard at>
 |Date:   Tue Sep 7 13:46:40 2021 +0200
 |OpenSSL 3.0.0 release tag
 |looks signed to me.

That is really interesting now.
If i use "git show openssl-3.0.0" i see this myself.

  tag openssl-3.0.0
  Tagger:     Richard Levitte <richard at>
  TaggerDate: 2021-09-07 13:46:40 +0200

  OpenSSL 3.0.0 release tag


  commit 89cd17a031 (tag: refs/tags/openssl-3.0.0)

But if i use

  #?0|kent:tls-openssl.git$ alias gl1
  alias gl1='git slpn -1'
  #?0|kent:tls-openssl.git$ git alias|grep slpn
  alias.slpn log --show-signature --patch --find-renames --stat --no-abbrev-commit
  #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0
  commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl-3.0.0)

i do not.  Hm, maybe i need to relearn git again, looking around
i see a couple of projects for which this is true (Linux,
wireguard-tools), for others it is not (my own project, nghttp2).
Eg "alias.slo log --show-signature --oneline --graph":

  #?141|kent:nail.git$ git slo -1 master
  Reading passphrase from file descriptor 4
  * 69be61071c (...) gpg: Signature made Wed 01 Sep 2021 01:19:46 PM CEST
  | gpg:                using RSA key DF082F6AEEC8C2FF
  | gpg: Good signature from "Steffen Nurpmeso <steffen at>"
  | gpg: WARNING: This key is not certified with a trusted signature!
  | gpg:          There is no indication that the signature belongs to the owner.
  | Primary key fingerprint: EE19 E1C1 F2F7 054F 8D39  54D8 3089 64B5 1883 A0DD
  |      Subkey fingerprint: 8A2A 4D60 9FDC 539C 75F5  5B95 DF08 2F6A EEC8 C2FF
  | Clear an installed alarm(2) in fork(2)ed childs (Stephen Isard)

  #?0|kent:nghttp2.git$ git slo -1 fcc20334da
  Reading passphrase from file descriptor 4
  *   fcc20334da gpg: Signature made Sat 04 Sep 2021 10:26:47 AM CEST
  |\  gpg:                using RSA key 4AEE18F83AFDEB23
  | | gpg: Can't check signature: public key not found
  | | Merge pull request #1613 from mkauf/check_pseudo_header_chars

  #?0|kent:wireguard-tools.git$ git slo -1 v1.0.20210424
  * ecb1ea29d7 (tag: refs/tags/v1.0.20210424) version: bump

  #?128|kent:linux.git$ git slo -1 v5.10.62
  * f6dd002450 (tag: refs/tags/v5.10.62, refs/remotes/origin/linux-5.10.y) Linux 5.10.62

Ooops, i am totally off again.

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the openssl-users mailing list