Git release tagging best practices

Werner Koch wk at gnupg.org
Tue Mar 26 09:42:57 CET 2019 

On Thu, 21 Mar 2019 23:12, dkg at fifthhorseman.net said:

> Did you look at Peter's message?  Werner's signature over git tag
> gnupg-2.2.15 does indeed include "tag gnupg-2.2.15".

Being curious, I also checked this:

--8<---------------cut here---------------start------------->8---
$ git tag -v gnupg-2.2.14
object 813de13e73b01409fabff9859f24c4f23b808796
type commit
tag gnupg-2.2.14
tagger Werner Koch <wk at gnupg.org> 1552991853 +0100

Just another boring release
[...]
gpg: enabled debug flags: hashing
gpg: Signature made Tue Mar 19 11:37:33 2019 CET
gpg:                using RSA key D8692123C4065DEA5E0F3AB5249B39D24F25E3B6
gpg: Good signature from "Werner Koch (dist sig)" [ultimate]
--8<---------------cut here---------------end--------------->8---

And here is the actual hashed data:

--8<---------------cut here---------------start------------->8---
00000000  6f 62 6a 65 63 74 20 38  31 33 64 65 31 33 65 37  |object 813de13e7|
00000010  33 62 30 31 34 30 39 66  61 62 66 66 39 38 35 39  |3b01409fabff9859|
00000020  66 32 34 63 34 66 32 33  62 38 30 38 37 39 36 0a  |f24c4f23b808796.|
00000030  74 79 70 65 20 63 6f 6d  6d 69 74 0a 74 61 67 20  |type commit.tag |
00000040  67 6e 75 70 67 2d 32 2e  32 2e 31 34 0a 74 61 67  |gnupg-2.2.14.tag|
00000050  67 65 72 20 57 65 72 6e  65 72 20 4b 6f 63 68 20  |ger Werner Koch |
00000060  3c 77 6b 40 67 6e 75 70  67 2e 6f 72 67 3e 20 31  |<wk at gnupg.org> 1|
00000070  35 35 32 39 39 31 38 35  33 20 2b 30 31 30 30 0a  |552991853 +0100.|
00000080  0a 4a 75 73 74 20 61 6e  6f 74 68 65 72 20 62 6f  |.Just another bo|
00000090  72 69 6e 67 20 72 65 6c  65 61 73 65 0a 04 00 01  |ring release....|
000000a0  08 00 1d 16 21 04 d8 69  21 23 c4 06 5d ea 5e 0f  |....!..i!#..].^.|
000000b0  3a b5 24 9b 39 d2 4f 25  e3 b6 05 02 5c 90 c6 6d  |:.$.9.O%....\..m|
000000c0  04 ff 00 00 00 23                                 |.....#|
--8<---------------cut here---------------end--------------->8---

which shows that the tag is actual part of the signed data.  There is no
warning if the tag has been renamed because the same data is hashed, we
would expect that from a symlink too and I consider this to be okay. 


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190326/d42c1a65/attachment.sig>

More information about the Gnupg-devel mailing list