vasiliyk
commented
6 months ago Thank you for your suggestion! We will do it.
We already signing commits and I see that it is quite easy to sign tags even manually with: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-tags
Hi tcollector dev,
I noticed all the tcollector releases do not have signature verification, so when download the source tarball to our system, we can not be assured that your commits come from a trusted source.
Can tcollector sign tags and commits locally using GPG or S/MIME? Therefore these tags or commits are marked as verified on GitHub so other people can trust that the changes come from a trusted source.
https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification
Thanks