Benjamin Kaduk wrote in <20210908222248.GX19992@xxxxxxxxxx>: |On Thu, Sep 09, 2021 at 12:15:44AM +0200, Steffen Nurpmeso wrote: |> |> P.S.: maybe at least release commits and tags could be signed? |> And/or HTTPS access to the repository ... but then i get the gut |> feeling that the answer to this will be "use github" or something. | |tag openssl-3.0.0 |Tagger: Richard Levitte <richard@xxxxxxxxxxx> |Date: Tue Sep 7 13:46:40 2021 +0200 | |OpenSSL 3.0.0 release tag |-----BEGIN PGP SIGNATURE----- | |iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF |O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== |=pGf9 |-----END PGP SIGNATURE----- | |looks signed to me. That is really interesting now. If i use "git show openssl-3.0.0" i see this myself. tag openssl-3.0.0 Tagger: Richard Levitte <richard@xxxxxxxxxxx> TaggerDate: 2021-09-07 13:46:40 +0200 OpenSSL 3.0.0 release tag -----BEGIN PGP SIGNATURE----- iFwEABECAB0WIQTEyrdJw09/TMBP2smnr5549wlFOwUCYTdRIAAKCRCnr5549wlF O7wEAJ90wRuQnQYdf7RrzD7p2tf2eZhP4QCXeXX3a1IgbIgfU7WuLZ44BbXF7w== =pGf9 -----END PGP SIGNATURE----- commit 89cd17a031 (tag: refs/tags/openssl-3.0.0) ... But if i use #?0|kent:tls-openssl.git$ alias gl1 alias gl1='git slpn -1' #?0|kent:tls-openssl.git$ git alias|grep slpn alias.slpn log --show-signature --patch --find-renames --stat --no-abbrev-commit #?0|kent:tls-openssl.git$ gl1 openssl-3.0.0 commit 89cd17a031e022211684eb7eb41190cf1910f9fa (tag: refs/tags/openssl-3.0.0) ... i do not. Hm, maybe i need to relearn git again, looking around i see a couple of projects for which this is true (Linux, wireguard-tools), for others it is not (my own project, nghttp2). Eg "alias.slo log --show-signature --oneline --graph": #?141|kent:nail.git$ git slo -1 master Reading passphrase from file descriptor 4 * 69be61071c (...) gpg: Signature made Wed 01 Sep 2021 01:19:46 PM CEST | gpg: using RSA key DF082F6AEEC8C2FF | gpg: Good signature from "Steffen Nurpmeso <steffen@xxxxxxxxxx>" | gpg: WARNING: This key is not certified with a trusted signature! | gpg: There is no indication that the signature belongs to the owner. | Primary key fingerprint: EE19 E1C1 F2F7 054F 8D39 54D8 3089 64B5 1883 A0DD | Subkey fingerprint: 8A2A 4D60 9FDC 539C 75F5 5B95 DF08 2F6A EEC8 C2FF | Clear an installed alarm(2) in fork(2)ed childs (Stephen Isard) #?0|kent:nghttp2.git$ git slo -1 fcc20334da Reading passphrase from file descriptor 4 * fcc20334da gpg: Signature made Sat 04 Sep 2021 10:26:47 AM CEST |\ gpg: using RSA key 4AEE18F83AFDEB23 | | gpg: Can't check signature: public key not found | | Merge pull request #1613 from mkauf/check_pseudo_header_chars #?0|kent:wireguard-tools.git$ git slo -1 v1.0.20210424 * ecb1ea29d7 (tag: refs/tags/v1.0.20210424) version: bump #?128|kent:linux.git$ git slo -1 v5.10.62 * f6dd002450 (tag: refs/tags/v5.10.62, refs/remotes/origin/linux-5.10.y) Linux 5.10.62 Ooops, i am totally off again. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
