Thank you for your work on Toxiproxy! In addition to signing commits, it would be very helpful if you would consider signing release tags, to facilitate easy commandline verification of releases with git tag -v.

Currently:

$ git verify-commit c6c22ff9f2d40dd1c9db2ca7c4e7ba5162a42743
gpg: Signature made Sun Oct 17 12:22:39 2021 EDT
gpg:                using DSA key 93189009CE638E5BBFAF0DC0ACD0D4390D132705
gpg: Good signature from "Michael Nikitochkin (miry) <michael.nikitochkin@shopify.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9318 9009 CE63 8E5B BFAF  0DC0 ACD0 D439 0D13 2705
$ git tag -v v2.2.0
error: v2.2.0: cannot verify a non-tag object of type commit.

This change would be nice for automated workflows, so that it's easy to grab the latest release tag from the Github API and verify the signature on the tag object before installing.

@rocodes I released v2.3.0 with signed tag. Can you check if it works for you?

Wonder if I can sign existing tags.

@miry Apologies for the delay - verified v2.3.0 successfully, this looks great. Thanks for your speedy response!

Edit: to answer your question, I think you'd have to rewrite history a little bit to sign old tags (such as overwrite the tag object, preserving the initial date it was created on, then force-push). I haven't tried this so I'm not 100% sure, but it might be more hassle than it's worth.