Hey, On Fri, Aug 26, 2016 at 11:21:05AM -0500, Michael Catanzaro wrote: > On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote: > > IIRC, git.gnome.org won't let you push an unsigned tag. > > I've been doing it for a while, so it most certainly does! I don't see > value in signing our tags as (a) clearly nobody is checking the > signatures, and (b) we don't currently have any centralized registry of > trusted keys, so it's not possible to know which signatures to trust > anyway.
For what it's worth, if all the tags are signed with the same GPG key, that's imo better than no signature at all. You could also add a line to your release email saying that the tag(/the release tarball) have been signed with the GPG key with fingerprint xxx. Even if your key is not in a centralized trust registry, this makes it harder to mess with the tags after the fact for someone who don't have access to your key. Christophe
signature.asc
Description: PGP signature
_______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
