Marko Mäkelä added a comment - 2021-08-04 11:44 For what it is worth, I do not remember ever creating any tag in any Git repository. I have understood that dbart normally creates tags as part of the release process.

Otto Kekäläinen added a comment - 2021-08-07 05:01 The latest tags are now signed, but with Daniel's personal key which does not seem to be published on the usual keyservers, so it normal users can't verify these tags: $ git tag -v mariadb-10.6.4 object 2db692f5b4d6bb31a331dab44544171c455f6aca type commit tag mariadb-10.6.4 tagger Daniel Bartholomew <db@dbart.us> 1628174514 -0400   MariaDB 10.6.4 gpg: Signature made to 5. elokuuta 2021 07.42.08 PDT gpg: using RSA key 3B3C906311191ABF515055D49171189995E45A9E gpg: from "Daniel Bartholomew <daniel@dbart.us>" [unknown] gpg: aka "Daniel Bartholomew (personal gpg key) <dbart@dbart.us>" [unknown] Primary key fingerprint: 3B3C 9063 1119 1ABF 5150 55D4 9171 1899 95E4 5A9E

Daniel Bartholomew added a comment - 2021-08-09 17:42 Yes, for this round of releases I added the following to my ~/.gitconfig : [tag] gpgsign = true ...so it used my personal gpg key, the same that I use to sign commits. I will add signingkey = F1656F24C74CD1D8 to that section of the config so that the same signing-key@mariadb.org key that I use to sign Debian/Ubuntu repositories is used for future tags. As far as publishing my personal key goes, I thought it was published to at least keyserver.ubuntu.com. If there are other "usual" keyservers I should publish it to, please let me know. I published it again just now. As an aside, I used to have gpg configured to sync with the pool of servers at sks-keyservers.net, but that service seems to have shut down. Are there any replacement pools?

Daniel Bartholomew added a comment - 2021-08-09 20:18 - edited Actually, to properly sign the tag I need to specify it on the command-line, e.g.: git tag -u ${key_id} ${tag_name} ${commit_hash} (Putting this here for future me)

Otto Kekäläinen added a comment - 2021-08-11 05:44 Thanks for looking into it. This is what I got originally: $ git tag -v mariadb-10.5.12 object b5569b62408375f35e2fe851158a7ff17e378ed1 type commit tag mariadb-10.5.12 tagger Daniel Bartholomew <db@dbart.us> 1628173022 -0400   MariaDB 10.5.12 gpg: Signature made Thu 5 Aug 07:17:14 2021 PDT gpg: using RSA key 3B3C906311191ABF515055D49171189995E45A9E gpg: Can’t check signature: No public key Now I get: $ git tag -v mariadb-10.5.12 object b5569b62408375f35e2fe851158a7ff17e378ed1 type commit tag mariadb-10.5.12 tagger Daniel Bartholomew <db@dbart.us> 1628173022 -0400   MariaDB 10.5.12 gpg: Signature made to 5. elokuuta 2021 07.17.14 PDT gpg: using RSA key 3B3C906311191ABF515055D49171189995E45A9E gpg: Good signature from "Daniel Bartholomew (personal gpg key) <db@dbart.us>" [unknown] gpg: aka "Daniel Bartholomew <daniel@dbart.us>" [unknown] gpg: aka "Daniel Bartholomew (personal gpg key) <dbart@dbart.us>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3B3C 9063 1119 1ABF 5150 55D4 9171 1899 95E4 5A9E And your key is now visible at https://keyserver.ubuntu.com/pks/lookup?search=0x9171189995E45A9E&fingerprint=on&op=index

Daniel Bartholomew added a comment - 2021-08-11 16:08 It won't be the signature I use for future tag signing, but good that it at least now shows up. Thanks.