Sign all Git Commits

[paragonie-scott]

(Beating @rugk to the punch.)

Does PHPStorm support this? If not, I'm fine with switching to command line for each commit if it means better security.

[kelunik]

It also means no rebasing of existing PRs. Keep that in mind.

[rugk]

existing PRs

What? Is "existing" supposed to be a verb?

In any way you can merge PRs (not from GitHub's online interface though), but you can...

[kelunik]

What? Is "existing" supposed to be a verb?

of → or, typo.

In any way you can merge PRs (not from GitHub's online interface though), but you can...

I think you can merge via GitHub's interface, you just can't squash and rebase other PRs and force-push them to be up-to-date.

[rugk]

I mean when you merge via GitHubs web UI the merge commit is not signed. So that's the issue here.

Here are some resources about signing git commits:

• onionshare#221 (comment)
• It is also displayed on GitHub: https://github.com/blog/2144-gpg-signature-verification
• Here is GitHub's help for this: https://help.github.com/articles/generating-a-gpg-key/
• And here is how you can sign releases: https://wiki.debian.org/Creating%20signed%20GitHub%20releases

[kelunik]

@rugk Yes, right, the merge commit will not be signed. But I guess also most commits by other people making PRs won't be signed. Usually it's enough to sign releases. Everything else brings rather little benefit.

[rugk]

Yes, but if the merge commit is signed, all other commits included in this merge (so commits by other contributors) do not need to be signed. It just matters that the HEAD is signed.

[paragonie-scott]

I've been following the discussions elsewhere. I'm not entirely convinced that this is something we need to do today, but is certainly worth looking into down the line.