Not able to verify source code. Push signed git tags?

[faern]

Hi,
From what I can see, this repository does neither have any signed commits, nor tags. As such, it's not possible to get any type of guarantee that the code I checked out is from you or can be trusted. We want to build our own TAP driver and sign it. But we want to be relatively sure that what we sign is not something bad.

Would it be possible to push a signed git tag pointing to the commit the latest release was built from, like you do in the main OpenVPN repository? And subsequently the same for future releases.

I have a commit with hash 01fbfb9451e1cbb3a6d33cb2975ae7fb21df90ed here, that bumps the driver version to 9.24.2.601.

[mattock]

That seems to be the correct hash, but of course I can't rule out GitHub having been hacked since I built the latest installers. That said, if somebody had rewritten history people would notice as their Git pulls would start failing. Or there would be odd commits on top of the correct commits.

That said, signing tags does not seem too difficult, given I already have GnuPG setup. We just need to decide which key to sign the tags with. I'll bring this up in Wednesday's community meeting.

[mattock]

In the community meeting today we decided to start signing the tags from now on. I will use my personal key for the purpose. It is trusted by other OpenVPN developers.