Feature Request - Signed Git Tags · issue #407 · tangled.org/core

Would be really cool to see signed tags in the UI. Other forges have this and it would be cool to have this addition! I am willing to help implement this but would need to know where to start.

agreed! as i understand it, there are two scenarios:

lightweight tags: these are just pointers to commits, we can just verify that the commit is signed in this scenario. we already have the commitverify package to do this. its not possible to create signed lightweight tags as far as i know
annotated tags: these are full blown objects, so we may have to introduce a package similar to commitverify, say, tagverify that verifies the the signature of the tag given the (key, fingerprint, payload) triple (or just share some of the verification logic among commit and tag verification)

in the second scenario, calculating the payload is the tricky bit, IIRC figuring out the payload for commits was just reading through in this file to see how git does it. it probably has some info about the payload data for tags. my guess is it would need the following (one element per line):

object: hash of the commit this tag is referring to
type: has to be set to commit
tag: name of the tag, like v1.13.0-alpha
tagger: name, email address and time of tagging, similar to committer in commits
the message is just appended to the payload after an extra newline, similar to commits

i should also mention, we only support ssh signing, and not GPG signing. jj does not presently support tagging natively, so you'd need to create signed tags via git only, the following git config is necessary:

user.signingKey = "~/.ssh/tangled_key"
gpg.format = "ssh"