Sign git tags & commits #226

Closed
opened 2025-11-02 03:14:35 -06:00 by GiteaMirror · 21 comments
Owner

Originally created by @rugk on GitHub (Jan 12, 2017).

You should consider signing git commits & releases.

At least tags should be signed, so one can verify the release versions at least.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Originally created by @rugk on GitHub (Jan 12, 2017). You should consider signing git commits & releases. * [onionshare#221 (comment)](https://is.gd/7vU4oK) * It is also displayed on GitHub: https://github.com/blog/2144-gpg-signature-verification * Here is GitHub's help for this: https://help.github.com/articles/generating-a-gpg-key/ * And here is how you can properly sign releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases At least tags should be signed, so one can verify the release versions at least. <bountysource-plugin> --- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/40890810-sign-git-tags-commits?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F47456670&utm_medium=issues&utm_source=github). </bountysource-plugin>
GiteaMirror added the type/proposaltopic/build labels 2025-11-02 03:14:35 -06:00
Author
Owner

@rugk commented on GitHub (Jan 12, 2017):

[previous post by @Bwko was removed]
No, I want you to sign your own commits/tags. The integration into gitea/gog is another issue.

@rugk commented on GitHub (Jan 12, 2017): [previous post by @Bwko was removed] No, I want *you* to sign your own commits/tags. The integration into gitea/gog is another issue.
Author
Owner

@Bwko commented on GitHub (Jan 12, 2017):

I agree, it's a good idea to sign all the commits

@Bwko commented on GitHub (Jan 12, 2017): I agree, it's a good idea to sign all the commits
Author
Owner

@tboerger commented on GitHub (Jan 12, 2017):

I'm signing all my commits already, never tried to sign a tag. For the releases I'm not sure how to handle that because it's entirely managed within the ci server

@tboerger commented on GitHub (Jan 12, 2017): I'm signing all my commits already, never tried to sign a tag. For the releases I'm not sure how to handle that because it's entirely managed within the ci server
Author
Owner

@rugk commented on GitHub (Jan 12, 2017):

never tried to sign a tag

It's also easy.

For the releases I'm not sure how to handle that because it's entirely managed within the ci server

So they are automatically generated? In this case you should be able to download the version and sign it afterwards.
In this case you would however have to ensure that the things you sign are valid (check the signed commits e.g.).

@rugk commented on GitHub (Jan 12, 2017): > never tried to sign a tag It's [also easy](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work#Signing-Tags). > For the releases I'm not sure how to handle that because it's entirely managed within the ci server So they are automatically generated? In this case you should be able to download the version and sign it afterwards. In this case you would however have to ensure that the things you sign are valid (check the signed commits e.g.).
Author
Owner

@tboerger commented on GitHub (Jan 12, 2017):

Yes, they are automatically generated and uploaded. Our pipeline is automated, just commits and tags are manually done :)

@tboerger commented on GitHub (Jan 12, 2017): Yes, they are automatically generated and uploaded. Our pipeline is automated, just commits and tags are manually done :)
Author
Owner

@rugk commented on GitHub (Jan 13, 2017):

When tags are manually done you can easily sign them. That's all I request.
Of course signing the binary files would also be nice, but that's another thing.

@rugk commented on GitHub (Jan 13, 2017): When tags are manually done you can easily sign them. That's all I request. Of course signing the binary files would also be nice, but that's another thing.
Author
Owner

@tboerger commented on GitHub (Jan 13, 2017):

So everybody should integrate his GPG key into git and sign the commits. I have added this snippet to my .gitconfig now, so from now on every tag I publish will be signed by me:

[alias]
  tag = tag -s

For everybody who is interested, I'm using https://github.com/tboerger/homeshick-base/blob/master/home/.gitconfig as my ~/.gitconfig and additionally to that I put this into ~/.gitconfig.local

[commit]
  gpgSign = true
@tboerger commented on GitHub (Jan 13, 2017): So everybody should integrate his GPG key into git and sign the commits. I have added this snippet to my `.gitconfig` now, so from now on every tag I publish will be signed by me: ``` [alias] tag = tag -s ``` For everybody who is interested, I'm using https://github.com/tboerger/homeshick-base/blob/master/home/.gitconfig as my `~/.gitconfig` and additionally to that I put this into `~/.gitconfig.local` ``` [commit] gpgSign = true ```
Author
Owner

@lunny commented on GitHub (May 4, 2017):

since https://github.com/go-gitea/gitea/issues/425 has been resolved. This issue should be resolved also or it's easy to fix now?

@lunny commented on GitHub (May 4, 2017): since https://github.com/go-gitea/gitea/issues/425 has been resolved. This issue should be resolved also or it's easy to fix now?
Author
Owner

@tboerger commented on GitHub (May 4, 2017):

The releases done by me are based on signed tags already.

@tboerger commented on GitHub (May 4, 2017): The releases done by me are based on signed tags already.
Author
Owner

@tboerger commented on GitHub (May 4, 2017):

since #425 has been resolved. This issue should be resolved also or it's easy to fix now?

That's a totally different story. He just requested to sign our Gitea tags and binaries.

@tboerger commented on GitHub (May 4, 2017): > since #425 has been resolved. This issue should be resolved also or it's easy to fix now? That's a totally different story. He just requested to sign our Gitea tags and binaries.
Author
Owner

@lunny commented on GitHub (May 4, 2017):

Ohoh, So this is a build thing not a feature?

@lunny commented on GitHub (May 4, 2017): Ohoh, So this is a build thing not a feature?
Author
Owner

@bkcsoft commented on GitHub (May 4, 2017):

Yeah, and I'm signing my tags. Maybe close when we have a HOWTO_RELEASE.md ? 😄

@bkcsoft commented on GitHub (May 4, 2017): Yeah, and I'm signing my tags. Maybe close when we have a `HOWTO_RELEASE.md` ? 😄
Author
Owner

@agaida commented on GitHub (Nov 29, 2017):

an annotated or signed tag would be helpful for the upcoming release - git describe start to look a little bit strange as the latest annotated or signed tag was v1.1.0 - v1.1.0-783-g183da4c2

@agaida commented on GitHub (Nov 29, 2017): an annotated or signed tag would be helpful for the upcoming release - git describe start to look a little bit strange as the latest annotated or signed tag was v1.1.0 - v1.1.0-783-g183da4c2
Author
Owner

@tboerger commented on GitHub (Nov 29, 2017):

All tags should be signed and annotated since 1.1.3, otherwise somebody made a mistake :)

@tboerger commented on GitHub (Nov 29, 2017): All tags should be signed and annotated since 1.1.3, otherwise somebody made a mistake :)
Author
Owner

@tboerger commented on GitHub (Nov 29, 2017):

bildschirmfoto 2017-11-29 um 16 28 04
@tboerger commented on GitHub (Nov 29, 2017): <img width="982" alt="bildschirmfoto 2017-11-29 um 16 28 04" src="https://user-images.githubusercontent.com/156964/33382931-5211a7fa-d522-11e7-99fa-2e662a9c7167.png">
Author
Owner

@lafriks commented on GitHub (Nov 29, 2017):

I think we can close the issue as we are already doing it

@lafriks commented on GitHub (Nov 29, 2017): I think we can close the issue as we are already doing it
Author
Owner

@agaida commented on GitHub (Nov 29, 2017):

thats fine - but the last tag related to master was v1.1.0 by some webhippie - and if one follow the current development it looks like that:

% git describe
v1.1.0-815-g033ad9a7

maybe this could be changed, 1.1.0 + 815 commits is nice and precise - ok, speed in Ansgström/Week is also precise.

@agaida commented on GitHub (Nov 29, 2017): thats fine - but the last tag related to master was v1.1.0 by some webhippie - and if one follow the current development it looks like that: > % git describe > v1.1.0-815-g033ad9a7 maybe this could be changed, 1.1.0 + 815 commits is nice and precise - ok, speed in Ansgström/Week is also precise.
Author
Owner

@lafriks commented on GitHub (Nov 29, 2017):

We do not tag on master branch but on release/* branches

@lafriks commented on GitHub (Nov 29, 2017): We do not tag on master branch but on release/* branches
Author
Owner

@agaida commented on GitHub (Nov 29, 2017):

you have - the last tag on master is v1.1.0 - but anyways ...

@agaida commented on GitHub (Nov 29, 2017): you have - the last tag on master is v1.1.0 - but anyways ...
Author
Owner

@lafriks commented on GitHub (Nov 29, 2017):

Yes, I mean latest versions

@lafriks commented on GitHub (Nov 29, 2017): Yes, I mean latest versions
Author
Owner

@agaida commented on GitHub (Nov 29, 2017):

It's not a problem, it only looks strange

@agaida commented on GitHub (Nov 29, 2017): It's not a problem, it only looks strange
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#226