On 14 May 2016 at 9:57, Tom Kent wrote:
Ideally we could cryptographically sign the tags going into git as well, but I have even less experience doing/checking that.
You might as well sign every commit just as easily. Historically that introduced a lot of bloat (2Kb-4Kb per commit of signing due to the RSA key size), but in the AFIO v2 github repo I've been experimenting with the very new Ed25519 elliptic curves for signing. These add only dozens of bytes to each commit, and github correctly understands them as you can see by the purdy green "Verified" tag per commit at: https://github.com/ned14/boost.afio/commits/master Your big problem is going to be configuring the tooling for git signing on Windows - you need exactly the right combination of recent or beta versions of git, tortoisegit and gpg4win. I'd personally speaking recommend Boost leave off commit signing for at least another release or two until the tooling required for ed25519 curves comes out of beta, especially on Windows. I'd strongly recommend *against* using RSA keys for commit signing. The bloat introduced isn't worth the gain. The remaining question is whether signing tags is worth it. I personally don't think so, it's creates a false sense of security unless all committers are signing their commits. Better to SHA the zip archive as Rene already does. Niall -- ned Productions Limited Consulting http://www.nedproductions.biz/ http://ie.linkedin.com/in/nialldouglas/