Congratulations! Missing 3.0.0 tag?

Randall S. Becker rsbecker at
Thu Sep 9 20:16:46 UTC 2021

On September 9, 2021 3:26 PM, Steffen Nurpmeso wrote:
>To: Randall S. Becker <rsbecker at>
>Cc: 'Benjamin Kaduk' <bkaduk at>; openssl-users at
>Subject: Re: Congratulations! Missing 3.0.0 tag?
>Randall S. Becker wrote in
> <012201d7a590$56df08d0$049d1a70$>:
> |On September 9, 2021 6:56 AM, Steffen Nurpmeso wrote:
> |>Benjamin Kaduk wrote in
> |> <20210908233639.GY19992 at>:
> |>|On Thu, Sep 09, 2021 at 01:03:28AM +0200, Steffen Nurpmeso wrote:
> ...
> |>|I think (off the top of my head, i.e., without consulting a reference) \  |>| |that `git log` (which your aliases end up at) will only
>|display  |>|signatures on commits, but will not show the tag objects themselves.
> |>|`git show` does display the tag object, and for openssl only the \  |>|tag  |object is what is signed; the commits themselves are not
> |>
> |>I see.  That is a logical one, thanks for the explanation.
> ...
> |$ git tag --verify openssl-3.0.0
>Yes yes, ok!  But like i said, wouldn't it be nice if at least release commits would be signed also, a.k.a./or when a new branch is created?
>In Linux for example the merge commits to the master branch are signed, in addition to the tags of the actual releases.
>It may even be a deja vu and i may have clamoured in the past.

Strictly speaking, the signature on a tag is considered immutable and transitively applies the signature to the commit (it does not really, but the effect is the same). The signature on a tag becomes invalid if the underlying commit, or parents of that commit in git's Merkel Tree changes, so it is quite a strong signature. AFIAK, adding a signature to the commit itself does not really improve the strength of the signing (much), unless one implements a multi-signature structure - like the commit and signatures on three tags on the same commit. You have then implemented a three-signature authority, which basically is a Blockchain-style authority (not quite - I used "-style"), providing that you do trust the signers. I think the word for that is "over-kill" 😉, but maybe not in the case of OpenSSL.


More information about the openssl-users mailing list