A signed tag is a cryptographically signed source control tag used to mark a verified release or important repository state. It matters because teams need stronger assurance that the source state used for release has not been swapped or spoofed.
What is Signed Tag?
Signed tags help anchor release references to a verified signer and make it easier to validate that a deployed version maps to the intended source checkpoint. They are especially helpful in release pipelines and audit-sensitive repositories.
What Signed Tag Commonly Supports
Common uses include release governance, source verification, deployment tracing, and build provenance.
Signed Tag vs. Unsigned Release Marker
A signed tag gives stronger evidence about who marked the release state. An unsigned marker is easier to forge or reinterpret.
Frequently Asked Questions
Why sign release tags?
Because a release reference is a trust boundary between source history and shipped artifact creation.
How does a signed tag relate to artifact signing?
The tag anchors trusted source state, while artifact signing protects the built output derived from that state.
