Git release tagging best practices
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Mar 22 04:12:07 CET 2019
On Thu 2019-03-21 14:50:56 -0700, James Bottomley wrote:
> It can't. Remember the name of the tag is metadata which is held in
> the git refs file not in the tag itself. The signature of the tag is
> over the contents (including header contents like date and parent)
> which doesn't include the name.
Did you look at Peter's message? Werner's signature over git tag
gnupg-2.2.15 does indeed include "tag gnupg-2.2.15".
> Absolutely not, at least not globally. Remember the design use case
> for signed tags is cryptographically verified pull requests, in which
> case there is no name and the tag is discarded after the pull.
That sounds more like "push certificates" than signed tags to me, but
i'm not up on the details of push certificates, so i might be wrong
about that.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190321/b353797d/attachment-0001.sig>
More information about the Gnupg-devel
mailing list