Sign release tags when making future releases?

[markmcclain]

Question

msgspec is a really nice module. Would it be possible to sign the tag when creating future releases?

[jcrist]

Releases are initiated via the github UI - all I do is click the "draft a new release" button here when releasing, fill out the info with a new tag, and hit "Publish Release". CI builds the artifacts for pypi and conda-forge. I'm unlikely to make any amendments to this process if they meaningfully increase the release burden - I'm already strapped for OSS time as it is.

How would you go about adding tag signing to this process? What security threat are you hoping this will mitigate? Why should I amend this process to satisfy your request?

[markmcclain]

Thanks for creating and supporting this project. I know it is a thankless task to manage an OSS project and it's a lot of work to balance one with a day job.

The main outcome of signing is adding a bit of verification to the software supply chain. Signing helps others verify the state of repo at the tag is as you intended. The tags are signed locally before pushing the tag to Github.

More recent versions of git support signing with an ssh key which is a low friction method if you don't have an existing GPG setup. From there the release tag can be signed with git tag -s $tagname. Github has builtin support for showing verification labels for signed commits/tags .

[dhirschfeld]

I think there are infinitely higher priorities and this is really just a box-ticking exercise. IME your dependencies not having signed commits/tags isn't going to be the biggest security hole in your organization.

That said, if you did want to sign commits/tags you can add a SSH signing key to your GitHub account with e.g.

gh ssh-key add ~/.ssh/id_ed25519.pub --type signing

...and configure git to use it with something like:

git config --global gpg.format ssh
git config --global user.signingkey "~/.ssh/id_ed25519"
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global gpg.ssh.allowedSignersFile "~/.config/git/allowed_signers"

...and you can create the allowed_signers file with:

echo echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)"  >> ~/.config/git/allowed_signers

If you create tags via the GitHub UI that won't help you as GitHub creates lightweight tags. In my own workflow I create signed, annotated tags locally and have GitHub actions create a release automatically.

release.yaml

```yaml name: github/release run-name: "[${{ github.ref_name }}] github/release" on: push: tags: - '*' permissions: contents: write jobs: release: runs-on: ubuntu-latest steps: - id: checkout_source name: Checkout Source # https://github.com/actions/checkout uses: actions/checkout@v4 - id: create_release name: Create Release shell: bash env: GH_TOKEN: ${{ github.token }} run: | set -euox pipefail # https://cli.github.com/manual/gh_release_create gh release create '${{ github.ref_name }}' \ --repo='${{ github.repository }}' \ --title='Release ${{ github.ref_name }}' \ --generate-notes \ --draft ```

[!Note] I'm just adding this for informational purposes, in case you are interested. I'm not actually recommending you spend valuable development time on this!

[jcrist]

I'm willing to try this for at least a few releases. The latest release (0.18.6, currently still building) is made from a signed commit. Closing.