You should consider signing git commits & releases.
- onionshare#221 (comment)
- It is also displayed on GitHub: https://github.com/blog/2144-gpg-signature-verification
- Here is GitHub's help for this: https://help.github.com/articles/generating-a-gpg-key/
- And here is how you can properly sign releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
At least tags should be signed, so one can verify the release versions at least.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
rugk
All 21 comments
[previous post by @Bwko was removed]
No, I want you to sign your own commits/tags. The integration into gitea/gog is another issue.
rugk
on 12 Jan 2017
I agree, it's a good idea to sign all the commits
Bwko
on 12 Jan 2017
I'm signing all my commits already, never tried to sign a tag. For the releases I'm not sure how to handle that because it's entirely managed within the ci server
tboerger
on 12 Jan 2017
never tried to sign a tag
It's also easy.
For the releases I'm not sure how to handle that because it's entirely managed within the ci server
So they are automatically generated? In this case you should be able to download the version and sign it afterwards.
In this case you would however have to ensure that the things you sign are valid (check the signed commits e.g.).
rugk
on 12 Jan 2017
Yes, they are automatically generated and uploaded. Our pipeline is automated, just commits and tags are manually done :)
tboerger
on 12 Jan 2017
When tags are manually done you can easily sign them. That's all I request.
Of course signing the binary files would also be nice, but that's another thing.
rugk
on 13 Jan 2017
So everybody should integrate his GPG key into git and sign the commits. I have added this snippet to my .gitconfig now, so from now on every tag I publish will be signed by me:
[alias]
tag = tag -s
For everybody who is interested, I'm using https://github.com/tboerger/homeshick-base/blob/master/home/.gitconfig as my ~/.gitconfig and additionally to that I put this into ~/.gitconfig.local
[commit]
gpgSign = true
since https://github.com/go-gitea/gitea/issues/425 has been resolved. This issue should be resolved also or it's easy to fix now?
lunny
on 4 May 2017
The releases done by me are based on signed tags already.
tboerger
on 4 May 2017
since #425 has been resolved. This issue should be resolved also or it's easy to fix now?
That's a totally different story. He just requested to sign our Gitea tags and binaries.
tboerger
on 4 May 2017
Ohoh, So this is a build thing not a feature?
lunny
on 4 May 2017
Yeah, and I'm signing my tags. Maybe close when we have a HOWTO_RELEASE.md ? 馃槃
bkcsoft
on 4 May 2017
an annotated or signed tag would be helpful for the upcoming release - git describe start to look a little bit strange as the latest annotated or signed tag was v1.1.0 - v1.1.0-783-g183da4c2
agaida
on 29 Nov 2017
All tags should be signed and annotated since 1.1.3, otherwise somebody made a mistake :)
tboerger
on 29 Nov 2017
tboerger
on 29 Nov 2017
I think we can close the issue as we are already doing it
lafriks
on 29 Nov 2017
thats fine - but the last tag related to master was v1.1.0 by some webhippie - and if one follow the current development it looks like that:
% git describe
v1.1.0-815-g033ad9a7
maybe this could be changed, 1.1.0 + 815 commits is nice and precise - ok, speed in Ansgstr枚m/Week is also precise.
agaida
on 29 Nov 2017
We do not tag on master branch but on release/* branches
lafriks
on 29 Nov 2017
you have - the last tag on master is v1.1.0 - but anyways ...
agaida
on 29 Nov 2017
Yes, I mean latest versions
lafriks
on 29 Nov 2017
It's not a problem, it only looks strange
agaida
on 30 Nov 2017
Related issues
internalfx
路
3Comments
adpande
路
3Comments
haytona
路
3Comments
ghost
路
3Comments
lunny
路
3Comments