From 3d1a06451a254a729b968db9da350eb9b52a0e86 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Fri, 22 Jul 2016 21:40:27 -0400
Subject: [PATCH] doc: use `git-secure-tag` for release tags

`git-secure-tag` recursively constructs an SHA-512 digest out of the
git tree, and puts the hash from the tree's root into the tag
annotation. This hash provides better integrity guarantees than the
default SHA-1 merkle tree that git uses.

Fix: #7579
PR-URL: https://github.com/nodejs/node/pull/7603
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
---
 doc/releases.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/releases.md b/doc/releases.md
index b5e57d1251747c..25cdb56a4791de 100644
--- a/doc/releases.md
+++ b/doc/releases.md
@@ -216,10 +216,16 @@ Once you have produced builds that you're happy with, create a new tag. By waiti
 
 Tag summaries have a predictable format, look at a recent tag to see, `git tag -v v6.0.0`. The message should look something like `2016-04-26 Node.js v6.0.0 (Current) Release`.
 
+Install `git-secure-tag` npm module:
+
+```console
+$ npm install -g git-secure-tag
+```
+
 Create a tag using the following command:
 
 ```sh
-$ git tag <vx.y.z> <commit-sha> -sm 'YYYY-MM-DD Node.js vx.y.z (Release Type) Release'
+$ git secure-tag <vx.y.z> <commit-sha> -sm 'YYYY-MM-DD Node.js vx.y.z (Release Type) Release'
 ```
 
 The tag **must** be signed using the GPG key that's listed for you on the project README.