Open v1v opened 1 year ago
Not sure we could have anything verified even by cherry-picking the original commits, since the sha1 are going to change anyway and Mergify can't re-sign the commits using the original author key. Or do I miss something?
Gotcha, I understand there is a limitation with the git flow itself, so nothing we can do about it.
For now, since mergify
can override the branch protection behaviour, we enabled to auto-approve those backported PRs with mergify
itself, so it works smooth and nice in our end.
Thanks Julien, I guess we can close this issue now
@v1v we spent time digging into that features, but it's not really clear the value of the whole signature system, especially with things like https://blog.mergify.com/un-signed-commits-how-we-found-a-non-security-bug-in-github/
Would it be possible to have more context about what's expected from the GitHub setting? Happy to schedule a chat with you or your (security) team.
Technical issue
https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#signature-verification-for-bots
Requested-By
m07emm9gk0chl80hjbkenjm07emmh3yl