signed git tags #108
Labels
No Label
bug
build
dependencies
developers
documentation
duplicate
enhancement
formatting
invalid
legal
mobile
obsolete
packaging
performance
protocol
question
refactoring
regression
security
test
translation
usability
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Bitmessage/PyBitmessage-2025-01-09#108
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
It would be nice if you could provide signed git tags for new releases.
This would be so that I am authenticating the code at points in time, yes?
Yes.
I feel like if someone were able to push code using my account, there is a good chance that it is because they are already in my system.
It's also useful in case github gets hacked again in case SSL CA's get hacked again.
Well, I guess right now that's a nice to have, but from v1.0 onwards you should do that. And keep the key on an USB stick locked in a safe or something like that.
To defeat system compromise, it's also possible to have an offline (air gaped) gpg key. (some instructions)
I don't even see any release tags in the repository at all, signed or otherwise. It would be nice to at least include those even if they aren't signed.
Yeah there should be release tags. Right now you can't, for example, tell what API calls are part of the stable release. And once you're generating the tags, you might as well sign them.
Smartcards are the way to go. But even without one, I strongly support GPG-signed release tags.
I'd also love to see tags to document the releases in Git, and signed if possible (even if you think it's not that much additional safety, it can't hurt to have an extra layer).
+1 as this is no big deal: GPG sign commit
Signing/verifying git commits is also useful for security. Especially if
it's a signed commit that gets a signed git tag. See also:
http://mikegerwitz.com/papers/git-horror-story
Signing git commits can also be simplified, done transparently, in
recent git versions. Using commit.gpgsign + no-ff merge option + signing
key id in settings.
👍
For when GitHub and / or certs get compromised.
+1 This is pretty straightforward to do.
I have been signing pgp commits in my fork for a while. I screwed up signing the tag, but I'll know how to do it next time. I'm using key 53FBF089. I'll have a new key next week, I'll make the appropriate announcements.
I kindly request people who make pull requests to also sign their commits.