Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Support annotated and signed tags #269

Open
dvzrv opened this issue Mar 14, 2023 · 2 comments
Open

[FEATURE] Support annotated and signed tags #269

dvzrv opened this issue Mar 14, 2023 · 2 comments
Assignees
@oknozor
Labels
enhancement New feature or request

Comments

@dvzrv
Copy link

dvzrv commented Mar 14, 2023
edited

Is your feature request related to a problem? Please describe.
It seems that currently annotated and/or signed tags are not supported. Even if setting e.g. git config --local tag.gpgSign true, this default to always sign tags is ignored when running cog bump --auto.
The resulting tag is a non-annotated (and therefore also unsigned) tag, which can not be verified and does not carry creator information.

To help mitigate and/or investigate supply chain attacks, this information is very useful though :)
As a downstream packager of various software projects I rely on the verification of signed tags wherever this is feasible (i.e. where git is used to fetch the sources of the project to be built).

Describe the solution you'd like
Cocogitto should respect the git config for the current repository when it comes to tagging.
Additionally, it would be useful to expose whether signed tags are wanted specifically in cog.toml to ensure that the tags are always signed if that is wanted.

If annotated or signed tags are wanted, the changelog message could be used for their message (alternatively simply the version). The OpenPGP key used for the signed commits would also be used for the signed tags (in case signing is wanted).

Describe alternatives you've considered
Not verifying the tag is a possibility, if the commit it points at is always signed by the developer of the project. However, changing unsigned tags is easier than changing signed ones (if I were a malicious entity).

Additional context
n/a
@dvzrv dvzrv added the enhancement New feature or request label Mar 14, 2023
@janderssonse
Copy link

janderssonse commented Mar 17, 2023
edited

This tool looks like almost awesome and would be a drop-in-replacment for everything I do in a Bash Glue-script I wrote - - except for this missing feature - (signing annotated tags) and using signing commits (#226). Sadly, no time to learn Rust and help submit PR's currently sorry, but hoping to see these features be part of it in the future, in which otherwise looks like a superuseful tool enabling all the things one otherwise have to glue together.

@oknozor oknozor mentioned this issue Mar 20, 2023
Open
4 tasks
@oknozor
Copy link
Collaborator

oknozor commented Jun 23, 2023

Annotated tags are now supported via the --annotated flag.
Now we need the following:

  • git sign for annotated tags
  • a settings to enable annotated tags by default with a default annotation message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oknozor oknozor

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvzrv @oknozor @janderssonse