Consider signing of tags and commits

[inglor]

Hi @dundee

Since you already have PGP uploaded to github 1 please consider signing your tags (releases) at least, if not all your commits. The benefits for this are detailed here 2

My plan is to package this on Arch Linux repos and it would assist on making sure the tagged source is valid.

[dundee]

Hi @inglor,
all tags should be already signed for some time.

Are you planning to package it for community repo? There are already packages in AUR.

[inglor]

Yes - sorry it might not be clear since I use inglor in github as username.

I'm artafinde in AUR and Arch Linux https://wiki.archlinux.org/title/Trusted_Users#Active_Trusted_Users

As for the commit tag signed see an example from gitea 1

That way Arch Linux tools can verify the commit of the tag directly during build.

Some more info from https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

[danie-dejager]

I see only the tag is signed

[dundee]

@inglor Ok, I will try to sign all commits from now.

Great! Looking forward to seeing gdu in community.

[dundee]

I was myself considering becoming a trusted user but I don't maintain many packages

[inglor]

@dundee new release with signed commits looks awesome! Package updated and it's ready for repos, just waiting for the keyring to be updated with my key, takes a bit of time.

Thanks for sorting this out this quickly!