Am 04.11.16 um 20:37 schrieb Russ Allbery:
Andreas Heigl <andreas@heigl.org> writes:
Am 04.11.16 um 20:15 schrieb Russ Allbery:
GitHub will verify the signatures on tags for you if you upload the PGP public key used to sign the tags to GitHub, and show the signature as verified in their UI. (Of course, that assumes you trust GitHub to do that verification.)
It's a feature from git itself, not github. https://git-scm.com/book/uz/v2/Git-Tools-Signing-Your-Work
It is based on GPG-Keys so there's no central trusted instance which can be a benefit or a curse depending on how you look at it.
You and I are talking about different things. I'm talking about the green "Verified" text on, for example:
we are actually talking abuot the same thing. The tag is signed with your private key. As soon as you upload your public key to github, they can verify the signed tag and add the "Verified" Text. And everyone else can verify the tag also as long as they have your public key. BTW: Since git 1.7.5 (I think) you can also sign commits and GitHub will mark them as verified. Cheers Andreas -- ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andreas@heigl.org N 50°22'59.5" E 08°23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+