Signing and verifying merges • Signing and verifying tags • Signing past commits and tags
One aspect of signing tags that might be new for participants is the notion of lightweight and annotated tags:
A lightweight tag is very much like a branch that doesn’t change — it’s just a pointer to a specific commit.
Annotated tags, however, are stored as full objects in the Git database. They’re checksummed; contain the tagger name, email, and date; have a tagging message; and can be signed and verified with GNU Privacy Guard (GPG). It’s generally recommended that you create annotated tags so you can have all this information; but if you want a temporary tag or for some reason don’t want to keep the other information, lightweight tags are available too.
In this exercise, the process for signing and verifying tags is covered including:
- Explicitly sign and verify tags
- Troubleshooting problems
- Optional Git configurations to sign and verify all tags
-
Confirm SSH tag signing is setup correctly
git tag -s -m "Tagging v1.0.0 release" v1.0.0
Possible responses:
-
error: cannot run gpg: No such file or directory error: gpg failed to sign the data error: unable to sign the tag The tag message has been left in .git/TAG_EDITMSG
😥 Do not to worry! This is error is likely due to missing SSH signing configuration from "Setup workstation".
-
-
Verify SSH tag is signed and trusted
git verify-tag -v v1.0.0
Possible responses:
-
object 28c46b890121f042e86d7d1c1b58e150b8ac9948 type commit tag v1.0.0 tagger Andy Feller <andyfeller@github.com> 1662854258 -0400 Tagging v1.0.0 release Good "git" signature for andyfeller@github.com with ED25519 key SHA256:kanlHE9MI77O18EdnFxgEnzc3v1rxJHlW475IbnHdG8
🥳 Congratulations! SSH tag verifying setup including SSH agent is good.
-
error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification
😥 Do not to worry! This is error is likely due to missing SSH signing configuration from "Setup workstation".
-
-
Configure additional SSH tag signing and verifying for workshop repository specifically:
git config tag.gpgsign true
Note To globally configure SSH signing and verifying, use the
--global
flag:git config --global tag.gpgsign true
For more information about these Git configuration options, see
tag.gpgSign
.
At the end of this exercise, the repository should look like: