Huh, anyone know about git signing and how I messed up pex release? https://github.com/pantsbuild/pex/issues/1701 I followed RELEASE.rst and used pgp key i use for github & pants pypi releases

relative to the other releases, it looks like maybe the tag isn’t signed?

i ran

git tag --sign -am 'Release 2.1.29' v2.1.29

, weird

…hm. yea, that’s sus

i gtg but will try to redo this once i figure out how to edit a tag

I'm out tomorrow (and most of the weekend) as well

Have good weekends all!

cc @enough-analyst-54434 is the

-a

still correct?

@hundreds-father-404: he responded on https://github.com/pantsbuild/pex/issues/1701#issuecomment-1086296236

yay John helped me to figure it out! FYI https://github.com/pantsbuild/pex/issues/1701#issuecomment-1088053218

A bit more to do there, but this might be something we should require all Pants releasers to set up. Working on an Apache project was good for getting you thinking about the OSS ecosystem, GitHub not so much. Maybe we can even have a key signing party! I'm still not linked into the web of trust. Maybe one of us knows someone?

That would be great! Our pants release docs only mention PGP keys with github. And github docs do not mention publishing your key anywhere. So I might not be the only one with this issue