Here's a question from one of my upstream devels. Not sure I understand
exactly what he's asking but I thought I'd post here in the hope that
someone can enlighten him (and me!).
"... Arch supports signed git tags. I'm hoping Fedora does too.
I'm thinking of dropping this cumbersome process (i.e: signing and pushing
the .sig and .tar.gz) for the next release. Simply sign the tag and create
a release out of it. Can you please do a bit of research on your side to
see if that's possible?
Also, for your consideration, git now supports ssh-based signatures
<
https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/>. I won't stop using
PGP because I think distros don't support this very well but just so you
know."
If we _do_ support "signed git tags" how do we code for it in the spec
file? Presently I have this:
Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sig
Source2: 6A6B35DBE9442683.gpg
...
%prep
%gpgverify -k 2 -s 1 -d 0
%autosetup -p1
Thanks
Bob