I am quite new in git, and I have seen that it is possible to sign the tags with gpg. I understand how public key cryptography works, and I understand how to do sign the tags, but what is the point in doing it?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am quite new in git, and I have seen that it is possible to sign the tags with gpg. I understand how public key cryptography works, and I understand how to do sign the tags, but what is the point in doing it?
The point of signing a tag is that now anyone who has your public key can prove that you have approved that particular commit as being that particular version of the program. If they happen to trust you as being the official source of releases for that package, then they know that they got an official version of that package, not some random version that might have been backdoored by an attacker or corrupted in transit.