From: Stefan Kangas <stefan@marxist.se>
To: emacs-devel@gnu.org
Subject: Signing git tags for releases
Date: Thu, 2 Dec 2021 16:06:33 -0800 [thread overview]
Message-ID: <CADwFkmkdmphfjLVL88YZSw1LdxdQvdGk8Y2HT0KTLT-qgPd-xw@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 974 bytes --]
I would like to suggest that we start signing git tags in our
repository. This would give greater confidence that a particular commit
is in fact the one corresponding to a particular release (e.g. the one
with some security fix and not an older one).
It is not strictly necessary in the sense that we are okay as-is, but I
think it's good form and a generally accepted best practice. For
context, see also the previous discussion in Bug#24461.
AFAIK, this will not require any action on behalf of anyone except the
person making our releases, unless they specifically want to verify some
signed git tag with "git tag -v TAG". In that case, they will obviously
first need to fetch the corresponding public key.
Unless I am overlooking something, the necessary documentation changes
will be in make-tarball.txt only. See the attached diff.
If there are no objections to this plan, I hope to start doing this
from Emacs 28.0.91 (the second pretest release) and onward.
[-- Attachment #2: sign.diff --]
[-- Type: text/x-diff, Size: 1600 bytes --]
diff --git a/admin/make-tarball.txt b/admin/make-tarball.txt
index 872cb00ca2..c56c887e19 100644
--- a/admin/make-tarball.txt
+++ b/admin/make-tarball.txt
@@ -187,7 +187,7 @@ General steps (for each step, check for possible errors):
8. You can now tag the release/pretest and push it together with the
last commit:
- cd EMACS_ROOT_DIR && git tag -a TAG -m "Emacs TAG"
+ cd EMACS_ROOT_DIR && git tag -a -s TAG -m "Emacs TAG"
git push
git push --tags
@@ -199,16 +199,20 @@ General steps (for each step, check for possible errors):
use the SHA1 of the last commit which went into the release
tarball, in case there were some intervening commits since then:
- git tag -a TAG -m "Emacs TAG" SHA1
+ git tag -a -s TAG -m "Emacs TAG" SHA1
git push --tags
In the past, we were not always consistent with the annotation
(i.e. -m "Emacs TAG"). The preferred format is like this for a
pretest, release candidate and final release:
- git tag -a emacs-28.0.90 -m "Emacs 28.0.90 pretest"
- git tag -a emacs-28.1-rc1 -m "Emacs 28.1 RC1"
- git tag -a emacs-28.1 -m "Emacs 28.1 release"
+ git tag -a -s emacs-28.0.90 -m "Emacs 28.0.90 pretest"
+ git tag -a -s emacs-28.1-rc1 -m "Emacs 28.1 RC1"
+ git tag -a -s emacs-28.1 -m "Emacs 28.1 release"
+
+ The "-s" option above means to sign the tag using your default GPG
+ key. Make sure this uses the same GPG key that you use to sign
+ the release (see below).
9. Decide what compression schemes to offer.
For a release, at least gz and xz:
next reply other threads:[~2021-12-03 0:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-03 0:06 Stefan Kangas [this message]
2021-12-03 15:28 ` Signing git tags for releases Teemu Likonen
2021-12-08 21:50 ` Stefan Kangas
2021-12-03 15:48 ` Lars Ingebrigtsen
2021-12-08 22:06 ` Stefan Kangas
2021-12-09 7:37 ` Eli Zaretskii
2021-12-26 16:56 ` Stefan Kangas
2021-12-26 18:45 ` Eli Zaretskii
2021-12-26 21:33 ` Stefan Kangas
2021-12-27 19:05 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADwFkmkdmphfjLVL88YZSw1LdxdQvdGk8Y2HT0KTLT-qgPd-xw@mail.gmail.com \
--to=stefan@marxist.se \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.