Signed commits and tags

[Flyingmana]

When we now start to tag our own releases, I would like to require at least the tags to be signed.
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

Also bigger imports or patches would be great, if the commit itself was signed.

How is the opinion about this here?

[colinmollenhour]

How is this enforced? Also how does this work with github's web-based "Merge" button?

[Flyingmana]

There is no enforcement (yet)
In a far distant future tools like composer could check if a tag was signed and are able to deny install for unsigned ones.

as the web ui just adds a merge commit, it does not interfere if the commits inside this PR are signed.

For Tags, we could also sign the downloads, this would be a manual process which is I think currently useless, as for example composer would not make use of it

[robbieaverill]

Signing tags makes sense since they are a point-in-time representation of a set of changes. Signing everything doesn't make as much sense. Since you can't tag via GitHub (AFAIK?) there's no downside to enforcing this as policy when releasing new tags.

[drobinson]

Generally I'm the one doing tagging, so please help me remember to do this next time we create a release and I'll tag it. Is it possible to sign old tags somehow @Flyingmana ?

[seansan]

Can we add tis to the readme? Or is there a better place? and close the issue

[sreichel]

Can we add tis to the readme? Or is there a better place? and close the issue

This is something cor contribution guidelines .... working on it.