[openstack-dev] Please do use PGP and PGP signed tags!
Mark McLoughlin
markmc at redhat.com
Sat Feb 9 21:40:19 UTC 2013
On Sun, 2013-02-10 at 08:21 +1100, Michael Still wrote:
> On Sun, Feb 10, 2013 at 4:41 AM, Thomas Goirand <zigo at debian.org> wrote:
> > Hi everyone!
> >
> > As you may know, I am the person doing the packaging of Openstack in
> > Debian. So uploading stuff in Debian is my responsibility. I've been
> > trying to shout to everyone that they should be using PGP signed tags on
> > Github, but the message doesn't seem to be received well enough, even
> > though core repositories are signed (I could check that ttx signature is
> > in all core projects, so we're safe here). But that's not truth for many
> > smaller python modules.
>
> I had a play with this, but I haven't had a lot of luck. It turns out
> to sign a commit you can just do:
>
> git commit -a --gpg-sign
>
> But the signature doesn't appear in git log output unless you use the
> --show-signature flag. I _think_ that means it wont end up getting
> sent to gerrit, so me signing locally isn't the most useful thing
> ever.
>
> Am I misunderstanding something?
The question is about signing tags. As part of releasing modules, we do
e.g.:
$> git tag -s 2012.2.3
$> git push gerrit tag 2012.2.3
It sounds like we've failed to include '-s' when tagging some projects
in the past.
Cheers,
Mark.
More information about the OpenStack-dev
mailing list