[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Signing git tags for releases

From: Stefan Kangas
Subject: Signing git tags for releases
Date: Thu, 2 Dec 2021 16:06:33 -0800

I would like to suggest that we start signing git tags in our
repository.  This would give greater confidence that a particular commit
is in fact the one corresponding to a particular release (e.g. the one
with some security fix and not an older one).

It is not strictly necessary in the sense that we are okay as-is, but I
think it's good form and a generally accepted best practice.  For
context, see also the previous discussion in Bug#24461.

AFAIK, this will not require any action on behalf of anyone except the
person making our releases, unless they specifically want to verify some
signed git tag with "git tag -v TAG".  In that case, they will obviously
first need to fetch the corresponding public key.

Unless I am overlooking something, the necessary documentation changes
will be in make-tarball.txt only.  See the attached diff.

If there are no objections to this plan, I hope to start doing this
from Emacs 28.0.91 (the second pretest release) and onward.

Attachment: sign.diff
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]