Here's a question from one of my upstream devels. Not sure I understand exactly what he's asking but I thought I'd post here in the hope that someone can enlighten him (and me!).

"... Arch supports signed git tags. I'm hoping Fedora does too.

I'm thinking of dropping this cumbersome process (i.e: signing and pushing the .sig and .tar.gz) for the next release. Simply sign the tag and create a release out of it. Can you please do a bit of research on your side to see if that's possible?

Also, for your consideration, git now supports ssh-based signatures. I won't stop using PGP because I think distros don't support this very well but just so you know."

If we _do_ support "signed git tags" how do we code for it in the spec file? Presently I have this:

Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.sig
Source2: 6A6B35DBE9442683.gpg

...

%prep
%gpgverify -k 2 -s 1 -d 0
%autosetup -p1

Thanks

Bob