Am 04.11.16 um 20:15 schrieb Russ Allbery:
Paul G <paul@ganssle.io> writes:
There is a way to sign tags directly, but I'm not sure that there's a way to actually verify the signature without cloning the git repository. It might be worth looking into some sort of script or hook that automatically generates signed tarballs for distribution when the repository is tagged.
GitHub will verify the signatures on tags for you if you upload the PGP public key used to sign the tags to GitHub, and show the signature as verified in their UI. (Of course, that assumes you trust GitHub to do that verification.)
It's a feature from git itself, not github. https://git-scm.com/book/uz/v2/Git-Tools-Signing-Your-Work It is based on GPG-Keys so there's no central trusted instance which can be a benefit or a curse depending on how you look at it. Cheers Andreas -- ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andreas@heigl.org N 50°22'59.5" E 08°23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+