sign git tag v0.9.0 (or commit) #67
Comments
|
We'll need to decide on commit/tag signing in general (so far, only Adam's commits in this repo are signed), but meanwhile you can verify the signature on the 0.9.0 release tarball on the Openwall website, and if you intend to use git then confirm that the trees are identical (perhaps with For commit/tag signing in general, what is the best practice here for a project with many contributors? Any example project you suggest we take a look at? BTW, the tags I created for these two releases are not annotated. I think this means they can't be signed on their own - only the commits can be. Should we use annotated tags instead? Perhaps that could be a solution allowing anyone's commit to become the release, yet have the release tag signed by a project leader (perhaps Adam or me)? I'd also like to hear from @ldv-alt on these matters.
The commit corresponding to |
|
Thank you for your consideration!
Signing all (or most) commits leaves an audit track. A long time since I looked into this. Last time I did I concluded it's best if all (new) git commits and (news) tags are signed. That makes manipulation by a mitm more difficult / easier to notice. References:
Qubes and Whonix. https://www.qubes-os.org/doc/code-signing/ Qubes and Whonix developers sign all commits as well as git tags.
That is OK. No meaningful tag message required.
I'd prefer the the signed commit that becomes the release being from a project leader. Why? Because I already have the public keys of the project leaders but not of all contributors. Thereby I can verify the signature of any commit at any time and be assured that any contribution was reviewed, merged by at least one project leader. Another reason is that sometimes LKRG is releasing fixes in git but without corresponding release tag. Therefore signed git commits are even more important than signed git tags. Because people not capable of auditing the diff from last signed tag to last commit would otherwise have no way to gpg verify they got the code from the actual developers, without mitm manipulating things.
Unless someone requesting that, I'd suggest saving the extra effort for that. |
|
Wondering if I may request prioritization of this issue, signed commit or tag creation please? That would really help with keeping the Debian package https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG as up to date as it used to be. Reason is if I use the signed LKRG archives, extract and and commit to git Whonix/lkrg that then all files, all of LKRG would be easily confused as authored by me which I very much want to avoid. |
|
Thank you for the reminder. Frankly, this is currently still low among my priorities.
Of course, don't do that. Instead, you can Of course, the above is no excuse not to proceed with making more frequent releases with signed git tags. |
Could you please sign git tag
v0.9.0and or that commit pointing atv0.9.0?Commits of previous releases were signed.
The text was updated successfully, but these errors were encountered: