[PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

[PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

[Gwyneth Morgan]

This document only explained PGP signatures, but Git now supports X.509
and SSH signatures.

Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
---
 Documentation/technical/signature-format.txt | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
index 166721be6f..c148d4c750 100644
--- a/Documentation/technical/signature-format.txt
+++ b/Documentation/technical/signature-format.txt
@@ -9,9 +9,22 @@ is about to create an object or transaction determines a payload from that,
 calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
 embeds the signature into the object or transaction.
 
-Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
-and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
-produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
+Signatures always begin and end with a delimiter, which differs
+depending on signature type.
+
+PGP::
+	Signatures begin with `-----BEGIN PGP SIGNATURE-----` and end
+	with `-----END PGP SIGNATURE-----`, unless gpg is told to
+	produce RFC1991 signatures which use `MESSAGE` instead of
+	`SIGNATURE`.
+
+SSH::
+	Signatures begin with `-----BEGIN SSH SIGNATURE-----` and end
+	with `-----END SSH SIGNATURE-----`.
+
+X.509::
+	Signatures begin with `-----BEGIN SIGNED MESSAGE-----` and end
+	with `-----END SIGNED MESSAGE-----`.
 
 Signatures sometimes appear as a part of the normal payload
 (e.g. a signed tag has the signature block appended after the payload

Re: [PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

[Junio C Hamano]

Gwyneth Morgan <gwymor@tilde.club> writes:

> Subject: Re: [PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

Convention: downcase "N" in "Note".

> This document only explained PGP signatures, but Git now supports X.509
> and SSH signatures.

This is technically incorrect as the original text does talk about
MESSAGE that is used by X.509.

But the change does make it more clear to help readers not to make
the same mistake as the above sentence.  In 3-item enumeration, it
is very clear what we now support ;-)

> Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
> ---
>  Documentation/technical/signature-format.txt | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
> index 166721be6f..c148d4c750 100644
> --- a/Documentation/technical/signature-format.txt
> +++ b/Documentation/technical/signature-format.txt
> @@ -9,9 +9,22 @@ is about to create an object or transaction determines a payload from that,
>  calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
>  embeds the signature into the object or transaction.
>  
> -Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
> -and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
> -produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
> +Signatures always begin and end with a delimiter, which differs

The term "signature delimiter" is understandable, but is that the
term used by the users and the developers of OpenPGP, X.509 and SSH
who know and use such an ascii-armored signatures?  Just making sure
we do not accidentally "invent" a new word that the upstream/wider
community has an established word for.

	... Goes and looks ...
	https://www.rfc-editor.org/rfc/rfc4880.html#section-7
	seems to use "Armor Header and Armor Tail Lines" to refer to
	the BEGIN and the END delimiter lines, respectively.

Other than that, the patch looks good to me.

Thanks.

> +depending on signature type.
> +
> +PGP::
> +	Signatures begin with `-----BEGIN PGP SIGNATURE-----` and end
> +	with `-----END PGP SIGNATURE-----`, unless gpg is told to
> +	produce RFC1991 signatures which use `MESSAGE` instead of
> +	`SIGNATURE`.
> +
> +SSH::
> +	Signatures begin with `-----BEGIN SSH SIGNATURE-----` and end
> +	with `-----END SSH SIGNATURE-----`.
> +
> +X.509::
> +	Signatures begin with `-----BEGIN SIGNED MESSAGE-----` and end
> +	with `-----END SIGNED MESSAGE-----`.
>  
>  Signatures sometimes appear as a part of the normal payload
>  (e.g. a signed tag has the signature block appended after the payload

Re: [PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

[Junio C Hamano]

Junio C Hamano <gitster@pobox.com> writes:

>> +Signatures always begin and end with a delimiter, which differs
>
> The term "signature delimiter" is understandable, but is that the
> term used by the users and the developers of OpenPGP, X.509 and SSH
> who know and use such an ascii-armored signatures?  Just making sure
> we do not accidentally "invent" a new word that the upstream/wider
> community has an established word for.
>
> 	... Goes and looks ...
> 	https://www.rfc-editor.org/rfc/rfc4880.html#section-7
> 	seems to use "Armor Header and Armor Tail Lines" to refer to
> 	the BEGIN and the END delimiter lines, respectively.

Please do not take this as my recommendation to blindly adopt "Armor
Header" etc.  It was merely an illustration of what level of due
diligence is expected behind a change in this project.  If you make
a similar study of nomenclature used by X.509 and SSH folks, you may
discover that there is no agreed-upon standard term common across
these three, in which case "signature delimiter" might be the best
"vendor neutral" word to use in our documentation.  Or it may turn
out that RFC4880 is the oddball and the other two use the same words
to refer to their header and tail lines, in which case, unless those
common words are too technical and hard to understand for readers,
we may want to use that common one.

Thanks.

[PATCH v2] signature-format.txt: note SSH and X.509 signature delimiters

[Gwyneth Morgan]

This document only explained PGP signatures, but Git now supports X.509
and SSH signatures.

Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
---
 Documentation/gitformat-signature.txt | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/Documentation/gitformat-signature.txt b/Documentation/gitformat-signature.txt
index d8e3eb1bac..5f0c9202e3 100644
--- a/Documentation/gitformat-signature.txt
+++ b/Documentation/gitformat-signature.txt
@@ -17,12 +17,26 @@ DESCRIPTION
 Git uses cryptographic signatures in various places, currently objects (tags,
 commits, mergetags) and transactions (pushes). In every case, the command which
 is about to create an object or transaction determines a payload from that,
-calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
-embeds the signature into the object or transaction.
-
-Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
-and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
-produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
+calls an external program to obtain a detached signature for the payload
+(`gpg -bsa` in the case of PGP signatures), and embeds the signature into the
+object or transaction.
+
+Signatures begin with an ASCII Armor header line and end with a tail line,
+which differ depending on signature type.
+
+PGP::
+	Signatures begin with `-----BEGIN PGP SIGNATURE-----` and end
+	with `-----END PGP SIGNATURE-----`, unless gpg is told to
+	produce RFC1991 signatures which use `MESSAGE` instead of
+	`SIGNATURE`.
+
+SSH::
+	Signatures begin with `-----BEGIN SSH SIGNATURE-----` and end
+	with `-----END SSH SIGNATURE-----`.
+
+X.509::
+	Signatures begin with `-----BEGIN SIGNED MESSAGE-----` and end
+	with `-----END SIGNED MESSAGE-----`.
 
 Signatures sometimes appear as a part of the normal payload
 (e.g. a signed tag has the signature block appended after the payload

Re: [PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

[Gwyneth Morgan]

On 2022-01-20 11:30:15-0800, Junio C Hamano wrote:
> Gwyneth Morgan <gwymor@tilde.club> writes:
> > This document only explained PGP signatures, but Git now supports X.509
> > and SSH signatures.
> 
> This is technically incorrect as the original text does talk about
> MESSAGE that is used by X.509.
> 
> But the change does make it more clear to help readers not to make
> the same mistake as the above sentence.  In 3-item enumeration, it
> is very clear what we now support ;-)

I believe the existing language is referring to the
"-----BEGIN PGP MESSAGE-----" format GPG outputs in RFC 1991 mode,
rather than the "-----BEGIN SIGNED MESSAGE-----" that X.509 uses.

> > diff --git a/Documentation/technical/signature-format.txt b/Documentation/technical/signature-format.txt
> > index 166721be6f..c148d4c750 100644
> > --- a/Documentation/technical/signature-format.txt
> > +++ b/Documentation/technical/signature-format.txt
> > @@ -9,9 +9,22 @@ is about to create an object or transaction determines a payload from that,
> >  calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
> >  embeds the signature into the object or transaction.
> >  
> > -Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
> > -and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
> > -produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
> > +Signatures always begin and end with a delimiter, which differs
> 
> The term "signature delimiter" is understandable, but is that the
> term used by the users and the developers of OpenPGP, X.509 and SSH
> who know and use such an ascii-armored signatures?  Just making sure
> we do not accidentally "invent" a new word that the upstream/wider
> community has an established word for.
> 
> 	... Goes and looks ...
> 	https://www.rfc-editor.org/rfc/rfc4880.html#section-7
> 	seems to use "Armor Header and Armor Tail Lines" to refer to
> 	the BEGIN and the END delimiter lines, respectively.
> 
> Other than that, the patch looks good to me.

OpenSSH's signature format documentation says:


	The Armored SSH signatures consist of a header, a base64
	encoded blob, and a footer.

	The header is the string "-----BEGIN SSH SIGNATURE-----"
	followed by a newline. The footer is the string
	"-----END SSH SIGNATURE-----" immediately after a newline.
(https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.sshsig?rev=1.4&content-type=text/x-cvsweb-markup)

This is sufficiently similar to the nomenclature in RFC 4880 to call
these "Armor Header Line and Tail Line" without any misunderstanding (or
"footer line" if that's preferred). I did not find documentation on what
X.509 calls these.

Re: [PATCH v2] signature-format.txt: note SSH and X.509 signature delimiters

[Ævar Arnfjörð Bjarmason]

On Fri, Feb 10 2023, Gwyneth Morgan wrote:

> This document only explained PGP signatures, but Git now supports X.509
> and SSH signatures.

To elaborate a bit, in 1e7adb97566 (gpg-interface: introduce new
signature format "x509" using gpgsm, 2018-07-17) we added X.509, and in
29b315778e9 (ssh signing: add ssh key format and signing code,
2021-09-10) we added "ssh", but our docs were never updated.

Your commit message says as much in briefer terms, but maybe if you
re-roll having those references would help put this change in context.>

> Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
> ---
>  Documentation/gitformat-signature.txt | 26 ++++++++++++++++++++------
>  1 file changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/Documentation/gitformat-signature.txt b/Documentation/gitformat-signature.txt
> index d8e3eb1bac..5f0c9202e3 100644
> --- a/Documentation/gitformat-signature.txt
> +++ b/Documentation/gitformat-signature.txt
> @@ -17,12 +17,26 @@ DESCRIPTION
>  Git uses cryptographic signatures in various places, currently objects (tags,
>  commits, mergetags) and transactions (pushes). In every case, the command which
>  is about to create an object or transaction determines a payload from that,
> -calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
> -embeds the signature into the object or transaction.
> -
> -Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
> -and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
> -produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
> +calls an external program to obtain a detached signature for the payload
> +(`gpg -bsa` in the case of PGP signatures), and embeds the signature into the
> +object or transaction.
> +
> +Signatures begin with an ASCII Armor header line and end with a tail line,
> +which differ depending on signature type.

Does the "ASCII Armor header" really add something here, or just confuse
the user with a reference that's not followed-up or explained here?
Maybe we should point out OpenPGP's '--armor' option in passing, to note
to the reader that this isn't some git-specific concept.

> +PGP::
> +	Signatures begin with `-----BEGIN PGP SIGNATURE-----` and end
> +	with `-----END PGP SIGNATURE-----`, unless gpg is told to
> +	produce RFC1991 signatures which use `MESSAGE` instead of
> +	`SIGNATURE`.
> +
> +SSH::
> +	Signatures begin with `-----BEGIN SSH SIGNATURE-----` and end
> +	with `-----END SSH SIGNATURE-----`.
> +
> +X.509::
> +	Signatures begin with `-----BEGIN SIGNED MESSAGE-----` and end
> +	with `-----END SIGNED MESSAGE-----`.

I wonder if structuring it like this wouldn't help make this easier to
read, and reduce the repetition, as well as making the circular
references between this & 'gpg.format' more obvious:

	The signature start and end marker comes on its own line, and
	differs based on the signature type (as selected by
	'gpg.format', see linkgit:git-config[1]).

        Those are, for values of 'gpg.format':

        gpg: `-----BEGIN PGP SIGNATURE-----` and `-----END PGP
             SIGNATURE-----`. Or, if GPG has been asked to produce
             RFC1991 signatures: `-----BEGIN PGP MESSAGE-----` and
             `-----END PGP MESSAGE-----`

        x509: `-----BEGIN SIGNED MESSAGE-----` `-----END SIGNED MESSAGE-----`
	ssh:`-----BEGIN SSH SIGNATURE-----` and `-----END SSH SIGNATURE-----`

Then for gpg.format in Documentation/config/gpg.txt we could add e.g.:

	See linkgit:gitformat-signature[5] for the signature format,
	which differs based on the selected 'gpg.format'.

Re: [PATCH] signature-format.txt: Note SSH and X.509 signature delimiters

[Junio C Hamano]

Gwyneth Morgan <gwymor@tilde.club> writes:

> I believe the existing language is referring to the
> "-----BEGIN PGP MESSAGE-----" format GPG outputs in RFC 1991 mode,
> rather than the "-----BEGIN SIGNED MESSAGE-----" that X.509 uses.

The paragraph came from 76f9d8ba (Documentation/technical: describe
signature formats, 2016-06-17) that started the documentation, and
predates x509 support by two years (and ssh came even later), so
you're right.  It couldn't possibly have meant anything newer.

Thanks.

> OpenSSH's signature format documentation says:
>
>
> 	The Armored SSH signatures consist of a header, a base64
> 	encoded blob, and a footer.
>
> 	The header is the string "-----BEGIN SSH SIGNATURE-----"
> 	followed by a newline. The footer is the string
> 	"-----END SSH SIGNATURE-----" immediately after a newline.
>
> This is sufficiently similar to the nomenclature in RFC 4880 to call
> these "Armor Header Line and Tail Line" without any misunderstanding (or
> "footer line" if that's preferred). I did not find documentation on what
> X.509 calls these.

Sounds good.  Thanks for due dilligence; it would make sure our
nomenclature would not go out of line without a good reason.

Re: [PATCH v2] signature-format.txt: note SSH and X.509 signature delimiters

[Junio C Hamano]

Gwyneth Morgan <gwymor@tilde.club> writes:

> This document only explained PGP signatures, but Git now supports X.509
> and SSH signatures.
>
> Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
> ---
>  Documentation/gitformat-signature.txt | 26 ++++++++++++++++++++------
>  1 file changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/Documentation/gitformat-signature.txt b/Documentation/gitformat-signature.txt
> index d8e3eb1bac..5f0c9202e3 100644
> --- a/Documentation/gitformat-signature.txt
> +++ b/Documentation/gitformat-signature.txt
> @@ -17,12 +17,26 @@ DESCRIPTION
>  Git uses cryptographic signatures in various places, currently objects (tags,
>  commits, mergetags) and transactions (pushes). In every case, the command which
>  is about to create an object or transaction determines a payload from that,
> +calls an external program to obtain a detached signature for the payload
> +(`gpg -bsa` in the case of PGP signatures), and embeds the signature into the
> +object or transaction.
> +
> +Signatures begin with an ASCII Armor header line and end with a tail line,
> +which differ depending on signature type.

OK, we used to say "begin with <<something PGP>>" that was not
generic, so we borrow the "ascii armor header/tail line" term the
crypto folks use.  Then ...

> +PGP::
> +	Signatures begin with `-----BEGIN PGP SIGNATURE-----` and end
> +	with `-----END PGP SIGNATURE-----`, unless gpg is told to

... it may be easier to understand if the paragraph somehow made it
clear that "ascii armore header" is "-----BEGIN PGP SIGNATURE-----"
and "tail" is "---END PGP SIGNATURE-----" for the format being
described.

Alternatively, if we are going to repeat "... begin with X, and end
with Y" for each format, then we may not even need to have the
previous paragraph that says these formats follow the same pattern
(i.e. header then contents then tail, but header and tail are
different depending on the format).

> +	produce RFC1991 signatures which use `MESSAGE` instead of
> +	`SIGNATURE`.
> +
> +SSH::
> +	Signatures begin with `-----BEGIN SSH SIGNATURE-----` and end
> +	with `-----END SSH SIGNATURE-----`.
> +
> +X.509::
> +	Signatures begin with `-----BEGIN SIGNED MESSAGE-----` and end
> +	with `-----END SIGNED MESSAGE-----`.

Re: [PATCH v2] signature-format.txt: note SSH and X.509 signature delimiters

[Gwyneth Morgan]

On 2023-02-10 11:52:42+0100, Ævar Arnfjörð Bjarmason wrote:
> 
> On Fri, Feb 10 2023, Gwyneth Morgan wrote:
> 
> > This document only explained PGP signatures, but Git now supports X.509
> > and SSH signatures.
> 
> To elaborate a bit, in 1e7adb97566 (gpg-interface: introduce new
> signature format "x509" using gpgsm, 2018-07-17) we added X.509, and in
> 29b315778e9 (ssh signing: add ssh key format and signing code,
> 2021-09-10) we added "ssh", but our docs were never updated.
> 
> Your commit message says as much in briefer terms, but maybe if you
> re-roll having those references would help put this change in context.>

I'll reference those commits in v3.

> > +Signatures begin with an ASCII Armor header line and end with a tail line,
> > +which differ depending on signature type.
> 
> Does the "ASCII Armor header" really add something here, or just confuse
> the user with a reference that's not followed-up or explained here?
> Maybe we should point out OpenPGP's '--armor' option in passing, to note
> to the reader that this isn't some git-specific concept.

I think having a relevant term to search for online and in manpages is
helpful. Mentioning the specific command-line option seems unnecessary,
but I'll put the term "ASCII Armor" in quotes to make it clearer that
this is not a git-specific concept.

> I wonder if structuring it like this wouldn't help make this easier to
> read, and reduce the repetition, as well as making the circular
> references between this & 'gpg.format' more obvious:
> 
> 	The signature start and end marker comes on its own line, and
> 	differs based on the signature type (as selected by
> 	'gpg.format', see linkgit:git-config[1]).
> 
>         Those are, for values of 'gpg.format':
> 
>         gpg: `-----BEGIN PGP SIGNATURE-----` and `-----END PGP
>              SIGNATURE-----`. Or, if GPG has been asked to produce
>              RFC1991 signatures: `-----BEGIN PGP MESSAGE-----` and
>              `-----END PGP MESSAGE-----`
> 
>         x509: `-----BEGIN SIGNED MESSAGE-----` `-----END SIGNED MESSAGE-----`
> 	ssh:`-----BEGIN SSH SIGNATURE-----` and `-----END SSH SIGNATURE-----`

Looks good. I'll do this in v3. I'll reference these by the gpg.format
value, as well as a parenthetical proper name, like "gpg (PGP)"; these
are basically the same the other two formats, but I want it to be clear
that `gpg` signatures don't have to be from the gpg program but could be
from any PGP-supporting program.

> Then for gpg.format in Documentation/config/gpg.txt we could add e.g.:
> 
> 	See linkgit:gitformat-signature[5] for the signature format,
> 	which differs based on the selected 'gpg.format'.

OK.

Thanks.

[PATCH v3] signature-format.txt: note SSH and X.509 signature delimiters

[Gwyneth Morgan]

This document only explains PGP signatures, but Git now supports X.509
signatures as of 1e7adb9756 (gpg-interface: introduce new signature
format "x509" using gpgsm, 2018-07-17), and SSH signatures as of
29b315778e (ssh signing: add ssh key format and signing code,
2021-09-10).

Additionally, explain that these signature formats are controlled
`gpg.format`, linking to its documentation, and explain in said
`gpg.format` documentation that the underlying signature format is
documented in signature-format.txt.

Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
---
 Documentation/config/gpg.txt          |  3 +++
 Documentation/gitformat-signature.txt | 22 +++++++++++++++++-----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/Documentation/config/gpg.txt b/Documentation/config/gpg.txt
index 86f6308c4c..37e2831cd5 100644
--- a/Documentation/config/gpg.txt
+++ b/Documentation/config/gpg.txt
@@ -12,6 +12,9 @@ gpg.program::
 gpg.format::
 	Specifies which key format to use when signing with `--gpg-sign`.
 	Default is "openpgp". Other possible values are "x509", "ssh".
++
+See linkgit:gitformat-signature[5] for the signature format, which differs
+based on the selected `gpg.format`.
 
 gpg.<format>.program::
 	Use this to customize the program used for the signing format you
diff --git a/Documentation/gitformat-signature.txt b/Documentation/gitformat-signature.txt
index d8e3eb1bac..d4d3a31f03 100644
--- a/Documentation/gitformat-signature.txt
+++ b/Documentation/gitformat-signature.txt
@@ -17,12 +17,24 @@ DESCRIPTION
 Git uses cryptographic signatures in various places, currently objects (tags,
 commits, mergetags) and transactions (pushes). In every case, the command which
 is about to create an object or transaction determines a payload from that,
-calls gpg to obtain a detached signature for the payload (`gpg -bsa`) and
-embeds the signature into the object or transaction.
+calls an external program to obtain a detached signature for the payload
+(`gpg -bsa` in the case of PGP signatures), and embeds the signature into the
+object or transaction.
 
-Signatures always begin with `-----BEGIN PGP SIGNATURE-----`
-and end with `-----END PGP SIGNATURE-----`, unless gpg is told to
-produce RFC1991 signatures which use `MESSAGE` instead of `SIGNATURE`.
+Signatures begin with an "ASCII Armor" header line and end with a tail line,
+which differ depending on signature type (as selected by `gpg.format`, see
+linkgit:git-config[1]). These are, for `gpg.format` values:
+
+`gpg` (PGP)::
+	`-----BEGIN PGP SIGNATURE-----` and `-----END PGP SIGNATURE-----`.
+	Or, if gpg is told to produce RFC1991 signatures,
+	`-----BEGIN PGP MESSAGE-----` and `-----END PGP MESSAGE-----`
+
+`ssh` (SSH)::
+	`-----BEGIN SSH SIGNATURE-----` and `-----END SSH SIGNATURE-----`
+
+`x509` (X.509)::
+	`-----BEGIN SIGNED MESSAGE-----` and `-----END SIGNED MESSAGE-----`
 
 Signatures sometimes appear as a part of the normal payload
 (e.g. a signed tag has the signature block appended after the payload

Re: [PATCH v3] signature-format.txt: note SSH and X.509 signature delimiters

[Junio C Hamano]

Gwyneth Morgan <gwymor@tilde.club> writes:

> This document only explains PGP signatures, but Git now supports X.509
> signatures as of 1e7adb9756 (gpg-interface: introduce new signature
> format "x509" using gpgsm, 2018-07-17), and SSH signatures as of
> 29b315778e (ssh signing: add ssh key format and signing code,
> 2021-09-10).
>
> Additionally, explain that these signature formats are controlled
> `gpg.format`, linking to its documentation, and explain in said
> `gpg.format` documentation that the underlying signature format is
> documented in signature-format.txt.
>
> Signed-off-by: Gwyneth Morgan <gwymor@tilde.club>
> ---
>  Documentation/config/gpg.txt          |  3 +++
>  Documentation/gitformat-signature.txt | 22 +++++++++++++++++-----
>  2 files changed, 20 insertions(+), 5 deletions(-)

Thanks, queued.