Git release tagging best practices

Werner Koch wk at
Thu Mar 21 19:50:36 CET 2019

On Tue, 19 Mar 2019 12:32, dkg at said:

> commentary and media recommendations included in the git tag messages,
> but i think they aren't currently very useful for downstream verifiers.


Frankly, I do not know what to write into the tag message because it
does not make sense to me to repeat what we have in NEWS, which is in
the commit named "Release x.y.z".  Maybe I should also change that
commit to read "GnuPG release x.y.z".

>     git tag -s -m 'GnuPG version 2.2.15' gnupg-2.2.15

Will do - and maybe add a fortune(1) to the next line.

> I'm recommending these as best practices, while acknowledging that very
> few projects follow them yet.  I'm hoping that GnuPG can help to lead

I would also wihs that more commits are signed.  With an on-disk key it
does not take any noticeable time, which it does neither when using a
GnuK with an ed25519 key.  You just need to have something like

      name = "Alica H. Acker"
      email = "ah at"
      signingkey = C1D34B69219E4AEEC0BA1C21E3FDFF218E45B72B

in ~/.gitconfig and when doing tag signing with a different key you can
resort to

  git tag -u OTHERKEYID -m 'FOO version 1.2.3' foo-1.2.3



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list