Hey, On Fri, Aug 26, 2016 at 11:21:05AM -0500, Michael Catanzaro wrote:
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:IIRC, git.gnome.org won't let you push an unsigned tag.I've been doing it for a while, so it most certainly does! I don't see value in signing our tags as (a) clearly nobody is checking the signatures, and (b) we don't currently have any centralized registry of trusted keys, so it's not possible to know which signatures to trust anyway.
For what it's worth, if all the tags are signed with the same GPG key, that's imo better than no signature at all. You could also add a line to your release email saying that the tag(/the release tarball) have been signed with the GPG key with fingerprint xxx. Even if your key is not in a centralized trust registry, this makes it harder to mess with the tags after the fact for someone who don't have access to your key. Christophe
Attachment:
signature.asc
Description: PGP signature