stefanb
commented
7 months ago Yes, as per https://github.com/trezor/trezord-go/issues/292#issuecomment-1515941719 where @tsusanka wrote:
My bad 🤦. Will force-push the git tag.
it seems there was some tagging gymnastics involved.
tsusanka
We recently had a bug opened in Gentoo for the release hash changing on 2.0.33. https://bugs.gentoo.org/904733
I believe the release was retagged?
Please try to understand that your organization currently does not sign all releases and there's no signing of a source release tarball. This makes it much easier for an adversary that gains access to your organization's Github (or any of the developers accounts with commit permissions) to just retag and push a malicious release. Alarm bells go off for us at the distro level when we see that release hashes are changing as we have no idea if the release is being tampered with.
The irony of having to open an issue like this is your organization happens to sell devices that could be used to sign commits and releases and it's just not being done: https://trezor.io/learn/a/what-is-gpg