From b2e45bc641234e7e306b08f8fc1d07ab36fa42b2 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 14 Dec 2017 17:02:56 -0500 Subject: [PATCH] code-integrity: Link to git-evtag This doc mentions the SHA1 for example which is something evtag was explicitly designed to address, and it long predates shatter.io etc. Yes someday I'll try to find the time to push evtag to git upstream... --- protecting-code-integrity.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/protecting-code-integrity.md b/protecting-code-integrity.md index a08d544..b2cf9dc 100644 --- a/protecting-code-integrity.md +++ b/protecting-code-integrity.md @@ -1077,6 +1077,9 @@ Our recommendation is to always sign git tags, as this allows other developers to ensure that the git repository they are working with has not been maliciously altered (e.g. in order to introduce backdoors). +See also [git-evtag](http://github.com/cgwalters/git-evtag) for an even +stronger form of signed tags. + ##### How to verify signed tags To verify a signed tag, simply use the `verify-tag` command: