Signing of git objects

[dvzrv]

Hi! 👋

I package pcre2 for Arch Linux.
We are currently attempting to make an effort to switch to "more transparent sources" for our packages. More specifically this means, that we would like to circumvent relying on custom source tarballs.

In the case of pcre2 we are currently relying on custom source tarballs, because we can verify them using an OpenPGP signature.
In the past this was more relevant where source tarballs were e.g. downloaded from a separate webserver.

However, for packaging purposes we are able to rely on git sources directly as well and for transparency reasons we would actually prefer that over custom source tarballs.
The only thing missing for this to happen is signed tags (currently all tags are plain tags - not created with -s/--sign).

If it would be possible to create signed tags going forward (using the same OpenPGP key that is also used for signing the source tarballs currently), that would be much appreciated! 🙏

[PhilipHazel]

I have been a happy user of Arch Linux for many years.
I understand what you are asking, though I was unaware of the existence/possibility of signed tags. I have been creating tags on GitHub, but I see that I could do the creation and signing locally. Doesn't look as if I can sign an existing tag, however. BUT THERE IS AN ISSUE: 10.44 may turn out to be the last release that I put out because the PCRE2 project needs a new lead maintainer. Problem is, I'm getting old. I am shortly going to put a post on the Google groups PCRE2 discussion list asking for suggestions as to how to proceed. So the signer of future tarballs and tags may well change.

[dvzrv]

I have been a happy user of Arch Linux for many years.

I'm happy to hear! 🙇

Doesn't look as if I can sign an existing tag, however.

That is fine (the signing is part of the creation). As such, it is preferred to not re-create existing tags, as that usually breaks reproducibility downstream.

10.44 may turn out to be the last release that I put out because the PCRE2 project needs a new lead maintainer. Problem is, I'm getting old. I am shortly going to put a post on the Google groups PCRE2 discussion list asking for suggestions as to how to proceed. So the signer of future tarballs and tags may well change.

I see! That's understandable. I hope a trustworthy and capable person can be found!

If I may suggest one thing for this scenario then: Please make sure to establish cryptographic trust between yourself and whoever will craft releases after you. This can be done by e.g. adding a third-party certification for that person's OpenPGP certificate (aka. "signing a key") and publishing the updated OpenPGP certificate on relevant keyservers, or by adding the OpenPGP fingerprint of that person's OpenPGP certificate to a file in this repository (e.g. README, MAINTAINERS or similar) in a signed commit.
If you need help with any of it, feel free to reach out!

[PhilipHazel]

@dvzrv, in a few days' time I'm going to start an email discussion between a number of people who are interested in the long-term future of PCRE2. If you would like to be part of this, please let me have a suitable email address.