Requiring GPG-signed commits?

What do people think … Should we require commits to be signed with GPG keys when GitLab support is enabled? What are the benefits and drawbacks? Details here:

I think doing with username is good enough to verify the person. Adding GPG keys just makes things complicated for the new contributor. We want to keep the entry point for new developers as low as possible.

1 Like

We should encourage it, but not require it.

Also you do realize it’s so easy to fudge git author data, right? I can impersonate Linus Torvalds if I wanted to. This is why GPG commit signing is a good thing. You know it was me and not some other guy.

I agree, this is a good idea! Can you do GPG commit when using the Gitlab user-interface? I suppose not :frowning: And with every git commit, the author and committer information are stored differently. The username for the push is stored when authenticating to github/gitlab.

gitlab doesn’t support it sadly…github does…I’m still doing it.

GitHub only supports it if I commit using the CLI…primarily because I didn’t give them my private key…and I’d never do that…I don’t even give keybase my private key. Security risk is too much.

Additional interesting comments here:

https://news.ycombinator.com/item?id=11432914

There’s an open Merge Request on for adding GPG signed commits – I been following it. Still – all my commits are signed – and have been for awhile now. If I edit using either github.com/gitlab.com then no, it won’t be signed – I don’t trust them enough to give them my private key – and nobody should.