Consider adopting signed release tags

AcademySoftwareFoundation / MaterialX

MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers.

http://www.materialx.org/

Apache License 2.0

1.86k stars 352 forks source link

Consider adopting signed release tags #1998

Open cary-ilm opened 2 months ago

cary-ilm commented 2 months ago

The OpenSSF Best Practices Badge suggests signing release tags. The process is simple, described here: simply create the release from a tag created with -s:

$ git tag -s v1.2.3

The project maintainer who creates the release tags needs a GPG key. Instructions for creating a key are described here.

jstone-lucasfilm commented 2 months ago

Thanks for posting these ideas for security improvements, @cary-ilm, and they all sound valuable to me!