Git release tagging best practices
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 20 13:28:33 CET 2019
On Tue 2019-03-19 19:09:25 +0100, Peter Lebbing wrote:
> On 19/03/2019 17:32, Daniel Kahn Gillmor wrote:
>> PS Note that the *name* of the tag itself is not covered by the
>> cryptographic signature (it is possible to rename tags without
>> modifying their cryptographic validity). This is why I recommend
>> using the tag message to contain this information rather than the tag
>> name itself.
> Are you sure? I looked at what the exact data that is signed is, and it
> seems to me it does include the name:
That's interesting, thanks for pointing it out. There are two places
for the name of the tag, and i think you're right that the signatures
made by modern git tags do seem to include the tag name (gnupg is ahead
of the game here, fwiw: many projects don't include the project name in
their tag name, and just go with tags like v2.2.13, which leave the same
issue open). I didn't think that they used to do that, but maybe they
did and i just never noticed.
> Note that the third line of the signed data reads "tag gnupg-2.2.13". So
> is there some loophole that means this is not useful?
To test that, i've just pushed https://gitlab.com/dkg/renaming-demo.git,
where I've just re-named a different tag issued by Werner.
If you were to clone that repository, you'll note that "git tag -v
gnupg-2.2.13" returns success, even though the contents of the message
don't say "tag gnupg-2.2.13".
So i suppose it depends on how you think people are verifying that tag.
I'd imagine most folks (if they verify the tag at all) just check that
git tag -v $tagname returns 0 (and maybe they check that the tag was
made by a key that they associate with the project).
I wonder whether we "git tag -v" should raise an error if the tag name
within the signature doesn't match the tag name being verified. I've
just sent message-id: <875zsdu41d.fsf at fifthhorseman.net> to
git at vger.kernel.org to ask about improving the situation there (maybe i
need to subscribe to convince them to let my mail through, though, i
> I'm not saying that the first line of tag messages shouldn't be
> standardized as you propose, I'm just debating the correctness of the
> quoted assertion.
Thanks for the clarifying question, and for pointing this out!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: not available
More information about the Gnupg-devel