Sign git tags on new releases - Githubissues

airgap-it / airgap-vault

The AirGap Vault is installed on a spare smartphone that has no connection to any network, thus it is air gapped. This app handles the private key.

MIT License

386 stars 109 forks source link

Sign git tags on new releases #20

Closed emanuelb closed 9 months ago

emanuelb commented 4 years ago

Currently all tags in repo are not signed: https://github.com/airgap-it/airgap-vault/tags

instead of signed, see for example: (click the 'verified' green button) https://github.com/bitcoin-wallet/bitcoin-wallet/tags

see for more info on how to sign: https://help.github.com/en/github/authenticating-to-github/signing-tags

and better read all documentation about git signing at github at: (commit signing as well, etc...) https://help.github.com/en/github/authenticating-to-github/managing-commit-signature-verification

after signing is used, upload the key to github (it will be shown as verified instead of unverified) https://help.github.com/en/github/authenticating-to-github/adding-a-new-gpg-key-to-your-github-account

why it's important: https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-qubes-repos

AndreasGassmann commented 4 years ago

Hi, thanks for the suggestion.

We'll take a look at how we can integrate this into our release process.