doc: use git-secure-tag for release tags

[indutny]

Checklist

• make -j4 test (UNIX), or vcbuild test nosign (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

doc

Description of change

git-secure-tag recursively constructs an SHA-512 digest out of the
git tree, and puts the hash from the tree's root into the tag
annotation. This hash provides better integrity guarantees than the
default SHA-1 merkle tree that git uses.

Fix: #7579

[indutny]

cc @rvagg @Fishrock123 @rmg

[MylesBorins]

@indutny does this work with subkeys?

[indutny]

@thealphanerd It supports -s and -u options, just as git tag.

[indutny]

It does not support -d, -F, and -a, though.

[indutny]

Updated description, initial version was misleading. Sorry!

[rmg]

I liked the idea before seeing the docs. Now that I see it is literally a drop in replacement with just a few extra keystrokes thrown in and still spits out a signed git tag in the end, I think I like it even more :-)

[rvagg]

does -sm work (doesn't need to change here, just interested if my keystroke memory will still apply)

[indutny]

Yeah, it actually works. I'll change it back.

[indutny]

Pushed.

[rvagg]

need to make sure we don't have any objectors in @nodejs/release

lgtm

[jasnell]

Emphatic LGTM on this.

[Fishrock123]

Should we make a test release with it to ensure everything behaves as expected?

Also, does this work properly with the verification in tools/release.sh?

[rvagg]

Yes, tools/release.sh is just checking that the key is signed by you, not how it was signed or what it contains so it should be fine. Full releases are the only ones that we normally sign and manually promote, the rest just happen automatically. Perhaps this PR can hold off until the next release, whichever branch that is, to see how it goes.

[indutny]

@thealphanerd is going to do a v4 RC release. Does anyone have an objection to using git-secure-tag for it?

[rvagg]

iirc we aren't tagging RC releases these days, only proper releases with a manual promotion, I have no objections to using this in the next v4 though as long as it's understood that if something comes up that causes this to hold up the release (whatever that might be!) then it can be dropped

[indutny]

Cool, thank you for the heads up!

[indutny]

@rvagg should we land this PR?

[MylesBorins]

@indutny I think we were waiting to do a release with the tool first.

looks like this PR needs a rebase

[indutny]

@thealphanerd we just did a release without a tool, and it is not clear how release team will learn about tool if we won't land this first :)

[MylesBorins]

that's fair. I was under the impression we were waiting for the LTS on this. @nodejs/release are we planning a v6 release for next week? Can we do make the tag with this tool?

[indutny]

Rebased.

[jasnell]

where did we land on this? :-)

[indutny]

We didn't, but I think we should.

[ChALkeR]

console, ref: #7971, #7727.

[indutny]

Ack, thank you!

[indutny]

We have two LGTMs here, and general consensus. Going to land it in a bit if no objections will be mentioned.

[jasnell]

SGTM!

[evanlucas]

LGTM

[indutny]

Landed in 0f3f76c, thank you everyone! cc @nodejs/release

[jbergstroem]

Post-land-LGTM -- I think this is a great addition.

[yorkie]

use sh to keep consistent with others?

[indutny]

This is made in anticipation of other PR that will change the rest to console.

[jasnell]

Whoops, looks like we forgot to close this when it landed.