signed git tags / signed git commits

[adrelanos]

For better security, could you please sign all upcoming git commits and git tags?

It's useful in case github gets hacked again in case SSL CA's get hacked again.

• https://github.com/blog/2144-gpg-signature-verification
• https://help.github.com/articles/signing-commits-with-gpg/
• sign all git commits onionshare/onionshare#221 (comment)
• http://mikegerwitz.com/papers/git-horror-story

[mapmeld]

I'd like to commit to this, and I've used git signing before. Main issues are:

• this project hasn't been updated for a while. I doubt it will get updated in the near future
• unless you've saved my public key, how will you verify my commits? GitHub shows a "verified" type note on some commits, but this could be hacked, as you said

[adrelanos]

Nick Doiron:

- unless you've saved my public key, how will you verify my commits?

Options: - Get it through the OpenPGP web of trust. - Download from various sources at various times if possible. - Use various channels of communications. - Or I suppose many are also doing just TOFU, trust on first use.