Re: Signing git tags for releases

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Signing git tags for releases

From:	Eli Zaretskii
Subject:	Re: Signing git tags for releases
Date:	Sun, 26 Dec 2021 20:45:37 +0200

> From: Stefan Kangas <stefan@marxist.se>
> Date: Sun, 26 Dec 2021 08:56:18 -0800
> Cc: larsi@gnus.org, emacs-devel@gnu.org
> 
> I hope the attached patch will clear up any remaining doubts.  Thanks.

Some comments below.

> +Recent tags are signed for additional security.  To verify a
> +signature, type "git tag -v TAGNAME".  You will first need to fetch
> +the public key used to sign the tag, using something like:
> +
> +  gpg --keyserver pgp.mit.edu --recv-keys \
> +    CEA1DE21AB108493CC9C65742E82323B8F4353EE

This should explain where did that long hex string come from, and how
it is related to some particular signed tag.

> -     cd EMACS_ROOT_DIR && git tag -a TAG -m "Emacs TAG"
> +     cd EMACS_ROOT_DIR && git tag -s TAG -m "Emacs TAG"

Won't Git then ask for some input?  IOW, does this describe the
interaction completely enough for the person who does this the first
time to know what to do?  And what about the preparations, like making
sure one has GnuPG, having a key available, etc.?  The first time I
needed to upload an Emacs tarball (which also needs to be signed), I
needed to read quite a lot on how to use GnuPG, how to generate a key,
how to use it, etc.

And finally, is signing the tags a requirement?  Is it possible to
commit an unsigned tag for pretest or release?

> +     git tag -s emacs-28.0.90  -m "Emacs 28.0.90 pretest"
> +     git tag -s emacs-28.1-rc1 -m "Emacs 28.1 RC1"
> +     git tag -s emacs-28.1     -m "Emacs 28.1 release"
> +
> +    The "-s" option above means to sign the tag using your default GPG
> +    key.

What if the person has more than one key?

>            Make sure this uses the same GPG key that you use to sign
> +    the release (see below).

This might not be possible, if the person who tags the release/pretest
doesn't have an uploader key.  Also, the pointer to "below" may not be
accurate enough, because "sign the release" as a phrase doesn't appear
anywhere, and references to "key" are many enough to confuse.  This
must be explained in the clearest terms, because people who are not
used to sign stuff will be nervous and stressed when required to do
this.

[Prev in Thread]

Current Thread

[Next in Thread]

Signing git tags for releases, Stefan Kangas, 2021/12/02
- Re: Signing git tags for releases, Teemu Likonen, 2021/12/03
  - Re: Signing git tags for releases, Stefan Kangas, 2021/12/08
- Re: Signing git tags for releases, Lars Ingebrigtsen, 2021/12/03
  - Re: Signing git tags for releases, Stefan Kangas, 2021/12/08
    - Re: Signing git tags for releases, Eli Zaretskii, 2021/12/09
    - Re: Signing git tags for releases, Stefan Kangas, 2021/12/26
    - Re: Signing git tags for releases, Eli Zaretskii <=
    - Re: Signing git tags for releases, Stefan Kangas, 2021/12/26
    - Re: Signing git tags for releases, Eli Zaretskii, 2021/12/27

Prev by Date: Re: master 40dcf9c2ab 4/5: read-multiple-choice: Display "SPC" instead of " "
Next by Date: Re: On Contributing To Emacs
Previous by thread: Re: Signing git tags for releases
Next by thread: Re: Signing git tags for releases
Index(es):
- Date
- Thread