CC: to Simon who has special interest in supply-chain security This is a comment to both Bug#839866 import-orig: please make --upstream-vcs-tag=... verify tag signatures Bug#980927 import-ref: Check tag signatures
The function to verify git tags is already in https://salsa.debian.org/agx/git-buildpackage/-/commit/07b86440438286a03ffa7b314534f9bbb3d0a805 but it is currently not being used anywhere. I wish that gbp import-ref and gbp import-orig *if* gbp.conf:upstrem-vcs-tag would automatically attempt to run `git verify-tag` and emit a warning if the upstream signature does not have a signature, encouraging Debian maintainers to ask upstream to start using signed git tags. When the upstream tag does have a signature, gbp would emit a warning if the tag wasn't signed with `debian/upstream/signing-key.asc`. Additionally, there should be a new config option `upstream-git-signatures`, which if set would make the warnings errors and refuse to import if tag was not signed, or the key didn't match. In some cases the `debian/upstream/signing-key.asc` might be a release CI key, while the git tags might be signed by individual authors. Thus we might also need to support something like `debian/upstream/signing-keyring.asc` that has all valid upstream release tag authors.
