Question: Signed-Tags vs. Signed-Releases

[azeemshaikh38]

I was wondering what the difference between our Signed-Tags and Signed-Releases check is. According to our README Signed-Tags tests if - the project cryptographically signs release tags?. 2 questions then:

1. Our current implementation tests if all tags are signed and not just release tags. Is that a mistake?
2. If we are concerned only with release tags, should we consider merging Signed-Tags and Signed-Releases checks into one?

@inferno-chromium @oliverchang @laurentsimon @naveensrinivasan thoughts?

[naveensrinivasan]

Signed Tags are Git Tags that are supposed to be signed. Not every tag would end up in releases.

Signed releases are when the releases are cryptographically signed.

I was wondering what the difference between our Signed-Tags and Signed-Releases check is. According to our README Signed-Tags tests if - the project cryptographically signs release tags?. 2 questions then:

1. Our current implementation tests if all tags are signed and not just release tags. Is that a mistake?

It is not. Not all git tags end up with releases, it is based on the project's release criteria.

1. Signed tags are for all git tags
2. Signed releases for not for tags but for the actual release.

This is incorrect Does the project cryptographically sign release tags? for Signed-Tags and needs to be fixed. The details have the correct description https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-tags

2. If we are concerned only with release tags, should we consider merging Signed-Tags and Signed-Releases checks into one?

@inferno-chromium @oliverchang @laurentsimon @naveensrinivasan thoughts?

[azeemshaikh38]

Makes sense. Although how is testing all Git tags useful to users? IIUC, if these Git tags aren't used in releases, users would never see/use these tags?

[inferno-chromium]

We probably don't even need signed tags check. i think we should keep just a signed releases check. @dlorenc for additional thoughts ?