Sign git tags and optionally git commits with trusted OpenPGP key

[ypid]

I would like to cryptographically ensure that users of GrapheneOS and HashbangOS (and other custom ROMs) are using this app that is based on an authentic git checkout built.

Could you sign git tags using gpg using a key that is more trusted than GitHubs key? This would allow me to use the scripts that I already have working to verify AOSP and GrapheneOS also for Seedvault without modification.

Edit: Something is strange with the GitHub key. Even with a clean git clone I get:

$ git tag -v 1.0.0
error: 1.0.0: cannot verify a non-tag object of type commit.

But it shows it on https://github.com/seedvault-app/seedvault/releases as signed. The git commit match for the signed and unsigned tag.

Ref: https://github.com/hashbang/aosp-build/issues/32

[thestinger]

At some point, GrapheneOS is likely switching to signing tags with signify and/or OpenSSH ssh-keygen -Y with those included as detached signatures via Git notes. Having the signatures hard-wired into the tag objects isn't the greatest and neither is using PGP since it's awful for many reasons which I won't get into here.