GitHub user ppkarwasz added a comment to the discussion: Tag cleanup and protection
Signatures on commits and tags are a little bit different topic: - We don't require signatures in PRs, because we have no way to verify GPG keys for **contributors**, - However we know the keys of **release managers** and our users can easily verify that a release commit is signed by one of us. To create a tag all it takes now is to steal a PAT with write permission on `contents`. However, you won't be able to sign it with a release manager's GPG key. GitHub link: https://github.com/apache/logging-log4j2/discussions/4096#discussioncomment-16586265 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
