GPG sign tags

[StevenBlack]

Hi Lars! I'm experimenting with GPG signing commits, and I notice release-it doesn't support the [-S[<keyid>]] option for git commit, nor the --sign option on git tag.

See, for example, Signing tags using GPG.

I'm just experimenting for now, and since release-it is in my workflow, it would be nice if it supported signing commits should I decide to sign in regular practice.

[webpro]

Hi, @StevenBlack. There is a flexible src.commitArgs (and src.pushArgs) option, I guess that's what you are looking for. If so, I'm happy to add src.tagArgs as well.

Clearly, the docs could have been more helpful.

[StevenBlack]

Thanks Lars @webpro!

Sorry for taking so long to get back to this.

I configured my release.json just as you suggest and it worked great! Thank you!

[RostarMarek]

Hello, i have been playing around with release-it since in our of the projects I'm involved in we want to start creating Github releases that are signed. So far release-it seems like the best option to automate this process a bit but in its current state there is no possibility to sign tags created by release-it.

This results in a state where commits created by release-it are singed correctly but the releases and tags themselves are unsigned. This cannot be done even by configuring git since its configuration to force sign tags gets overridden when using --annotate which is unsigned.

So it would be greatly appreciated if you could add the src.tagArgs or some other form to add GPG signature to tags as well as commits. If you are short on time since this should be a quick fix i could add this option based on how src.commitTags are added and create a pull request with this feature.

Hope to hear from you soon. Regards Marek

[webpro]

A PR would be great, happy to help make this happen.

On Fri, 16 Nov 2018 at 18:45, Marek Roštár ***@***.***> wrote: Hello, i have been playing around with release-it since in our of the projects I'm involved in we want to start creating Github releases that are signed. So far release-it seems like the best option to automate this process a bit but in its current state there is no possibility to sign tags created by release-it. This results in a state where commits created by release-it are singed correctly but the releases and tags themselves are unsigned. This cannot be done even by configuring git since its configuration to force sign tags gets overridden when using --annotate which is unsigned. So it would be greatly appreciated if you could add the src.tagArgs or some other form to add GPG signature to tags as well as commits. If you are short on time since this should be a quick fix i could add this option based on how src.commitTags are added and create a pull request with this feature. Hope to hear from you soon. Regards Marek — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#350 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAb26nSvSkZ-CY2VzWQCCHbExBWi3Bfgks5uvvm4gaJpZM4WSs-l> .

-- Sent from Gmail Mobile

[RostarMarek]

Alright should have one ready at some point tomorrow.

[StevenBlack]

@RostarMarek release-it can sign, see my .release-it.json file for example. This is what I use and it works flawlessly.

[webpro]

Thanks, @StevenBlack! Both commits and tags can be signed (according to https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work). I've just added src.tagArgs anyway in v8.0.0 and updated the readme.

[RostarMarek]

Thanks guys.
Got hold up a bit with IRL stuff over the weekend so i didnt have time to finish the pull request.

[webpro]

No problem, @RostarMarek! I wanted to get v8 out the door, and this took only little efforts to include.