Sign release tags when making future releases? about msgspec HOT 4 CLOSED

I think there are infinitely higher priorities and this is really just a box-ticking exercise. IME your dependencies not having signed commits/tags isn't going to be the biggest security hole in your organization.

That said, if you did want to sign commits/tags you can add a SSH signing key to your GitHub account with e.g.

gh ssh-key add ~/.ssh/id_ed25519.pub --type signing

...and configure git to use it with something like:

git config --global gpg.format ssh
git config --global user.signingkey "~/.ssh/id_ed25519"
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global gpg.ssh.allowedSignersFile "~/.config/git/allowed_signers"

...and you can create the allowed_signers file with:

echo echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)"  >> ~/.config/git/allowed_signers

If you create tags via the GitHub UI that won't help you as GitHub creates lightweight tags.
In my own workflow I create signed, annotated tags locally and have GitHub actions create a release automatically.

name: github/release
run-name: "[${{ github.ref_name }}] github/release"


on:
  push:
    tags:
      - '*'


permissions:
  contents: write


jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - id: checkout_source
        name: Checkout Source
        # https://github.com/actions/checkout
        uses: actions/checkout@v4

      - id: create_release
        name: Create Release
        shell: bash
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          set -euox pipefail
          # https://cli.github.com/manual/gh_release_create
          gh release create '${{ github.ref_name }}' \
            --repo='${{ github.repository }}' \
            --title='Release ${{ github.ref_name }}' \
            --generate-notes \
            --draft

from msgspec.

I'm willing to try this for at least a few releases. The latest release (0.18.6, currently still building) is made from a signed commit. Closing.

from msgspec.

Releases are initiated via the github UI - all I do is click the "draft a new release" button here when releasing, fill out the info with a new tag, and hit "Publish Release". CI builds the artifacts for pypi and conda-forge. I'm unlikely to make any amendments to this process if they meaningfully increase the release burden - I'm already strapped for OSS time as it is.

How would you go about adding tag signing to this process? What security threat are you hoping this will mitigate? Why should I amend this process to satisfy your request?

from msgspec.

Thanks for creating and supporting this project. I know it is a thankless task to manage an OSS project and it's a lot of work to balance one with a day job.

The main outcome of signing is adding a bit of verification to the software supply chain. Signing helps others verify the state of repo at the tag is as you intended. The tags are signed locally before pushing the tag to Github.

More recent versions of git support signing with an ssh key which is a low friction method if you don't have an existing GPG setup. From there the release tag can be signed with git tag -s $tagname. Github has builtin support for showing verification labels for signed commits/tags .

from msgspec.