Sign git commits & releases about webext-signed-pages HOT 10 CLOSED

Releases are already signed (even uploaded my pubkey to github so they are also verified by github).
I don't like signing commits because it's a pain in the pass with rebasing, PRs and etc, so I avoid that, and it doesn't add much value over signing releases in the context of this project.

from webext-signed-pages.

Ah okay, that is only displayed on the "tags" page. Maybe you could add some release notes (i.e. use GitHub's release feature) when creating a new release, later, so one can see that more prominently?

from webext-signed-pages.

It's also displayed when you click on a release.
I'm not sure about the github release feature. Why don't they just get the text from the annotated tag? It seems like extra work for little benefit, as people who care about verifying releases should do so locally.
Happy to be convinced otherwise, it's just that at the moment, my workflow doesn't touch GitHub at all, I do everything from the command line, so I'm just looking for a good reason as to why do it differently.

Also, if I create the release from there it won't be signed, so I'm not sure about the workflow.

from webext-signed-pages.

Yeah, don't ask me about GItHub's stuff… Maybe it's so that you can mark real releases/pre-releases and so on, when you also use tags for something else. I mean you can just copy and paste the text there again.And BTW, I did not even notice the release notes in the tags there on GitHub, as I just don't expand these tags usually…

Also, if I create the release from there it won't be signed, so I'm not sure about the workflow.

You can create a release from an already existent tag, so that's easy. AFAIK it then does even prefill the release with the tag content.

from webext-signed-pages.

I took a look at the UI, it doesn't populate the text when I click "add release notes".
There's also no button to do it form the releases tab or releases themselves (e.g. https://github.com/tasn/webext-signed-pages/releases/tag/v0.4.0) only from the tags page, which makes me very suspicious, thinking they may replace my tag with theirs. If not, it's very redundant, again for little benefit.
Another sensible approach would be to just get github correctly deal with annotated tags. It looks like they are mostly there, I wonder why they don't deal with it properly.

from webext-signed-pages.

The GItHub release page, does not create tags when the tag already exists. (I think the UI makes it clear when you enter it.)

As said, the reason is maybe that some users use tags differently, and you may want to draft releases separately.

from webext-signed-pages.

Even if it edits them, it's enough to break the signature, which is what I'm worried about here.

from webext-signed-pages.

It does not do anything with them. The release things is completely decoupled from the tags. It's only that you, more or less, "attach" a release to a specific tag.

And of course they don't break signatures (they actually want to display them later on so that would be stupid), they do not do anything with git altogether there.

from webext-signed-pages.

OK, I'll take a look, thanks.

from webext-signed-pages.

Did it for the last few releases. Will try to remember doing it for future releases as well.

from webext-signed-pages.