You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
It seems that currently annotated and/or signed tags are not supported. Even if setting e.g. git config --local tag.gpgSign true, this default to always sign tags is ignored when running cog bump --auto.
The resulting tag is a non-annotated (and therefore also unsigned) tag, which can not be verified and does not carry creator information.
To help mitigate and/or investigate supply chain attacks, this information is very useful though :)
As a downstream packager of various software projects I rely on the verification of signed tags wherever this is feasible (i.e. where git is used to fetch the sources of the project to be built).
Describe the solution you'd like
Cocogitto should respect the git config for the current repository when it comes to tagging.
Additionally, it would be useful to expose whether signed tags are wanted specifically in cog.toml to ensure that the tags are always signed if that is wanted.
If annotated or signed tags are wanted, the changelog message could be used for their message (alternatively simply the version). The OpenPGP key used for the signed commits would also be used for the signed tags (in case signing is wanted).
Describe alternatives you've considered
Not verifying the tag is a possibility, if the commit it points at is always signed by the developer of the project. However, changing unsigned tags is easier than changing signed ones (if I were a malicious entity).
Additional context
n/a
The text was updated successfully, but these errors were encountered:
This tool looks like almost awesome and would be a drop-in-replacment for everything I do in a Bash Glue-script I wrote - - except for this missing feature - (signing annotated tags) and using signing commits (#226). Sadly, no time to learn Rust and help submit PR's currently sorry, but hoping to see these features be part of it in the future, in which otherwise looks like a superuseful tool enabling all the things one otherwise have to glue together.
Is your feature request related to a problem? Please describe.
It seems that currently annotated and/or signed tags are not supported. Even if setting e.g.
git config --local tag.gpgSign true
, this default to always sign tags is ignored when runningcog bump --auto
.The resulting tag is a non-annotated (and therefore also unsigned) tag, which can not be verified and does not carry creator information.
To help mitigate and/or investigate supply chain attacks, this information is very useful though :)
As a downstream packager of various software projects I rely on the verification of signed tags wherever this is feasible (i.e. where git is used to fetch the sources of the project to be built).
Describe the solution you'd like
Cocogitto should respect the git config for the current repository when it comes to tagging.
Additionally, it would be useful to expose whether signed tags are wanted specifically in
cog.toml
to ensure that the tags are always signed if that is wanted.If annotated or signed tags are wanted, the changelog message could be used for their message (alternatively simply the version). The OpenPGP key used for the signed commits would also be used for the signed tags (in case signing is wanted).
Describe alternatives you've considered
Not verifying the tag is a possibility, if the commit it points at is always signed by the developer of the project. However, changing unsigned tags is easier than changing signed ones (if I were a malicious entity).
Additional context
n/a
The text was updated successfully, but these errors were encountered: