Requiring GPG-signed commits?


(Michael Downey) #1

What do people think … Should we require commits to be signed with GPG keys when GitLab support is enabled? What are the benefits and drawbacks? Details here:


(Saptarshi Purkayastha) #2

I think doing with username is good enough to verify the person. Adding GPG keys just makes things complicated for the new contributor. We want to keep the entry point for new developers as low as possible.


(Robby O'Connor) #3

We should encourage it, but not require it.


(Robby O'Connor) #4

Also you do realize it’s so easy to fudge git author data, right? I can impersonate Linus Torvalds if I wanted to. This is why GPG commit signing is a good thing. You know it was me and not some other guy.


(Saptarshi Purkayastha) #5

I agree, this is a good idea! Can you do GPG commit when using the Gitlab user-interface? I suppose not :frowning: And with every git commit, the author and committer information are stored differently. The username for the push is stored when authenticating to github/gitlab.


(Robby O'Connor) #6

gitlab doesn’t support it sadly…github does…I’m still doing it.

GitHub only supports it if I commit using the CLI…primarily because I didn’t give them my private key…and I’d never do that…I don’t even give keybase my private key. Security risk is too much.


(Michael Downey) #7

Additional interesting comments here:

https://news.ycombinator.com/item?id=11432914


(Robby O'Connor) #8

There’s an open Merge Request on for adding GPG signed commits – I been following it. Still – all my commits are signed – and have been for awhile now. If I edit using either github.com/gitlab.com then no, it won’t be signed – I don’t trust them enough to give them my private key – and nobody should.