Reminder, when you sign git tags you are signing the SHA-1 hash of the SHA-1 hash of a tree of SHA-1 hashes.
Instead, sign the output of
git -c core.autocrlf=false archive --format=zip
which lets you use signify or ssh-keygen instead of gpg, too!
Conversation
Replying to
Most aren’t signing. If they are, it’s probably b/c their central GitHub/GitLab repo requires it. For that, your thing doesn’t work. Better not distract GitLab/GitLab and tool makers from working on SHA-256 support. Unless there is some problem with the Git design w/ SHA-256 too?
2
4
Git signing design is flawed beyond SHA-1. It only supports a single signature hard-wired into the object rather than detached signatures.
A better system would use Git notes. That way multiple people could sign a commit/tag as a way to indicate they reviewed and approved of it.
1
3
It doesn't account for the need to rotate keys. If the project rotates their signing key, they can't add a new signature to the recent tags. They would have to either make new tags or force push over the old ones.
No M-of-N signing systems for releases, etc.
Not a good feature.
You get the entire history of bloated GPG RSA signatures whether or not you want them. They're a hard-wired part of the objects. You can't avoid cloning them or remove them without rewriting the history.
I strongly dislike that GitHub, etc. encourage using the feature. It sucks.
2