Reminder, when you sign git tags you are signing the SHA-1 hash of the SHA-1 hash of a tree of SHA-1 hashes.

Instead, sign the output of

git -c core.autocrlf=false archive --format=zip

which lets you use signify or ssh-keygen instead of gpg, too!
(Yes, there should be a tool that makes this easy. Just so many hours in the day, etc.)
Note that "git archive" is not stable, so you have to distribute the archive, too. A proper tool would apply the same kind of tree hashing algorithm as Go modules, which is stable.

Hmm, now I want to build it. Dammit. No. Go 1.17 is freezing tomorrow.
You can follow @FiloSottile.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more