Sign release tags

[inglor]

Description

Consider Signing tags of releases

Proposed solution

As the package maintainer of Arch Linux I would appreciate if you could help maintaining the chain of trust with PGP signatures on commits/tags. This can be handled from the Arch Linux build tools and can automatically validate PGP public key of the author of the commit/tag.

Tasks:

• Sign commits and tags of releases
• Mention the public keys used for signing the above in README or any other file within the repository so downstream systems can validate independently.
• Add any new maintainers who can release on the above list

Describe alternatives you've considered

N/A

Additional context

N/A

[jjbustamante]

Hi @inglor, we've been discussing similar ideas in the past, there is an open RFC to integrate with Cosign. From this RFC, some new ideas came up, like the prepare operation:

• initial RFC
• some continuation RFC

We are happy to get some help, ideas or if you want to keep working on the previous RFCs will be great

[jjbustamante]

This is probably similar to or duplicating #268

[inglor]

I think you misunderstood the request. This is about signing with PGP key the release tag of this repository. No new feature request for pack itself :) just couldn't choose a category other than feature.

[jjbustamante]

Oh! sorry about that @inglor , then I think is similar or duplicating this one #934 :)

[inglor]

Yes - I'll move discussion there.