On Tue, Aug 24, 2021 at 04:21:50PM -0700, Sean Whitton wrote: > On Wed 18 Aug 2021 at 10:10AM +02, Simon Josefsson wrote: > > Signing tarballs is the current > > established best practice -- moving to VCS builds needs a set of new > > schemes to be established and deployed, and I don't see any single > > universal solution today. > > From my point of view, signing git tags is no less well established a > best practice than signing tarballs -- in fact, to me, it seems *more* > well established.
Maybe for upstreams the tooling is certainly easier for signed tags that are distributed with the git repo, rather than tarball signatures that have to be attached to a releases page after the fact. However, the debian tooling last I checked correctly passed on the upstream tarball signature intact to be available to the end-user (included in .dsc). uscan verifies signed tags only locally before throwing away the metadata - see also 3.0 (git) source format and tag2upload. It doesn't have to be full history clone, only IIRC the tag and its sole commit object from `git cat-file -p` to recreate them.
signature.asc
Description: PGP signature
