Comment by paulddraper
7 years ago
Signing tags (or somewhat less usefully, commits) can be done the same way packages are signed. It might not be directly integrated with git, but it wouldn't be hard to make a good workflow.
The article mentions Signify/Minisign. [1]
[1] https://jedisct1.github.io/minisign/ as an PGP alternatie.
> It might not be directly integrated with git
That's the problem I see. I have signingkey in .gitconfig, together with [commit] gpgsign = true. This way, set & forget, all my commits are signed (it's my employer requirement, probably some "compliance" stuff). You can see it right away nicely displayed as "Verified" on github. I didn't know about GPG-s supposedly weak security until now, but always considered it not very convenient to use.
Ah, well if your employer mandates PGP signatures on every commit, that's that.
FWIW, the creator of git argues that signing of every commit is essentially pointless. [1] I agree.
[1] http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-t...