General rule of thumb for secure package distribution:

1. Is the identifier mutable? Make sure it points to a content addressable identifier (SHA2), and sign that link. 2. Is it a content addressable identifier? Nothing to do.

When it comes to signing in git, signing tags is usually where you see the most value (mutable identifier that points to a git tree, which is content addressable).

You’re just trying to improve the trust in saying “Hey, v1.2 is this SHA digest”.

He seems to be discouraging signing every commit's individual data but encouraging signing the actual commit ID (SHA1) which should be perfectly feasible for something like homebrew.

> Signing each commit is totally stupid. It just means that you automate it, and you make the signature worth less.

You're still getting a signature directly from the developer's machine, not from the repository server and as such you're still vastly shrinking the attack surface.

You have no idea how creative people get when faced with minor nuisances. I've seen devs/admins go to great lengths to avoid doing more than one 2FA per day.

Like this?

https://www.youtube.com/watch?v=AsNwon4fjqY

A publicly available webcam pointed at an RSA SecurID hardware token...

(The optimist ion me hopes this was performance art. But I've worked with people who'd do that if it made their day ever so slightly easier...)