Need to be able to push signed tags

[coilysiren]

From @todb-r7 on June 23, 2015 17:12

Currently, rake release pushes a version tag up to github in an unsigned way. Thus, it gets difficult to say with any certainty who pushed a tag on a project with multiple committers.

I couldn't find anything in the documentation about an environment variable or other option where I can specify a signing key for the version tag. Note, I'm not looking specifically for signing a gem (with a PEM certificate), I'm just looking to sign a tag commit.

All about signing commits: http://mikegerwitz.com/papers/git-horror-story

If I've just missed this in the docs, an RTFM with a pointer would help a ton.

Thanks!

Copied from original issue: rubygems/bundler-features#90

[coilysiren]

From @indirect on June 23, 2015 17:18

Bundler does not support signing commits or releases--if you would like to do so, I suggest overriding the Rake task for releasing.

On Tue, Jun 23, 2015 at 10:13 AM, Tod Beardsley [email protected]
wrote:

Currently, rake release pushes a version tag up to github in an unsigned way. Thus, it gets difficult to say with any certainty who pushed a tag on a project with multiple committers.
I couldn't find anything in the documentation about an environment variable or other option where I can specify a signing key for the version tag. Note, I'm not looking specifically for signing a gem (with a PEM certificate), I'm just looking to sign a tag commit.
All about signing commits: http://mikegerwitz.com/papers/git-horror-story
If I've just missed this in the docs, an RTFM with a pointer would help a ton.

Thanks!

Reply to this email directly or view it on GitHub:
rubygems/bundler-features#90

[coilysiren]

From @todb-r7 on June 23, 2015 17:22

Bundler does not support signing commits or releases--if you would like to do so, I suggest overriding the Rake task for releasing.

Ah good, then this is a proper feature request then, and not merely a noob question.

I'd argue that it's important that Bundler allow people to do the secure thing as simple config option. Ideally, as a strongly encouraged option.

[coilysiren]

From @indirect on June 23, 2015 18:10

Thanks for the feature request! You're the first person to ever request that Bundler support signing release tags, which is why I suggested that you could overwrite the Rake task to get the functionality you're asking for.

The Bundler gem functionality is deliberately designed to only cover the most common use-cases, and today signing commits is not a common use-case. We'll take this request under consideration for the future, but at present it's unlikely.

[coilysiren]

From @todb-r7 on June 23, 2015 18:25

signing commits is not a common use-case

I bet if Bundler supported it, it'd become common. :)

[coilysiren]

From @indirect on June 23, 2015 18:29

The Bundler gem functionality has, so far, merely implemented the most common practice for gems, rather than dictating what those practices should be. :)

On Jun 23, 2015, at 11:25 AM, Tod Beardsley [email protected] wrote:

signing commits is not a common use-case

I bet if Bundler supported it, it'd become common. :)

—
Reply to this email directly or view it on GitHub rubygems/bundler-features#90 (comment).

[coilysiren]

From @Mange on December 16, 2015 7:57

It should be mentioned that creating a signed tag is the "default" for git, and that it's mostly Github that has created the current trend of not signing tags.

Would a pull request be welcome, if I did one?

[coilysiren]

From @rmm5t on April 12, 2016 18:47

It might be worth reconsidering this given that GitHub now supports and is promoting signed tags.

An idea: If the user.signingkey git config variable is present, presume that a signed tags is desired; otherwise, stick with the default behavior of an unsigned tag.

[colby-swandale]

It looks like this feature has been merged