Sign git tags & commits

[rugk]

You should consider signing git commits & releases.

• onionshare#221 (comment)
• It is also displayed on GitHub: https://github.com/blog/2144-gpg-signature-verification
• Here is GitHub's help for this: https://help.github.com/articles/generating-a-gpg-key/
• And here is how you can properly sign releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases

At least tags should be signed, so one can verify the release versions at least.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[rugk]

[previous post by @Bwko was removed]
No, I want you to sign your own commits/tags. The integration into gitea/gog is another issue.

[Bwko]

I agree, it's a good idea to sign all the commits

[tboerger]

I'm signing all my commits already, never tried to sign a tag. For the releases I'm not sure how to handle that because it's entirely managed within the ci server

[rugk]

never tried to sign a tag

It's also easy.

For the releases I'm not sure how to handle that because it's entirely managed within the ci server

So they are automatically generated? In this case you should be able to download the version and sign it afterwards.
In this case you would however have to ensure that the things you sign are valid (check the signed commits e.g.).

[tboerger]

Yes, they are automatically generated and uploaded. Our pipeline is automated, just commits and tags are manually done :)

[rugk]

When tags are manually done you can easily sign them. That's all I request.
Of course signing the binary files would also be nice, but that's another thing.

[tboerger]

So everybody should integrate his GPG key into git and sign the commits. I have added this snippet to my .gitconfig now, so from now on every tag I publish will be signed by me:

[alias]
  tag = tag -s

For everybody who is interested, I'm using https://github.com/tboerger/homeshick-base/blob/master/home/.gitconfig as my ~/.gitconfig and additionally to that I put this into ~/.gitconfig.local

[commit]
  gpgSign = true

[lunny]

since #425 has been resolved. This issue should be resolved also or it's easy to fix now?

[tboerger]

The releases done by me are based on signed tags already.

[tboerger]

since #425 has been resolved. This issue should be resolved also or it's easy to fix now?

That's a totally different story. He just requested to sign our Gitea tags and binaries.

[lunny]

Ohoh, So this is a build thing not a feature?

[bkcsoft]

Yeah, and I'm signing my tags. Maybe close when we have a HOWTO_RELEASE.md ? 😄

[agaida]

an annotated or signed tag would be helpful for the upcoming release - git describe start to look a little bit strange as the latest annotated or signed tag was v1.1.0 - v1.1.0-783-g183da4c2

[tboerger]

All tags should be signed and annotated since 1.1.3, otherwise somebody made a mistake :)

[tboerger]

[lafriks]

I think we can close the issue as we are already doing it

[agaida]

thats fine - but the last tag related to master was v1.1.0 by some webhippie - and if one follow the current development it looks like that:

% git describe
v1.1.0-815-g033ad9a7

maybe this could be changed, 1.1.0 + 815 commits is nice and precise - ok, speed in Ansgström/Week is also precise.

[lafriks]

We do not tag on master branch but on release/* branches

[agaida]

you have - the last tag on master is v1.1.0 - but anyways ...

[lafriks]

Yes, I mean latest versions

[agaida]

It's not a problem, it only looks strange