Our engineering standards are the things that we expect engineers to do. Look at the 'writing a standard' standard and provide some brief information below
What is the standard you are suggesting?
Everyone who commits code to Home Office source control systems must cryptographically sign their commits
What would be the benefit to the Home Office of adopting this standard?
This would enable traceability and accountability for the code that is created at the Home Office, and prevent impersonation when code is attributed to developers.
How might people follow it
All engineers to create private/public key pairs and use the private key to sign their committed code
Engineering teams to enforce commit signing on their repositories so that they can verify the provenance of all code
Our engineering standards are the things that we expect engineers to do. Look at the 'writing a standard' standard and provide some brief information below
What is the standard you are suggesting? Everyone who commits code to Home Office source control systems must cryptographically sign their commits
What would be the benefit to the Home Office of adopting this standard? This would enable traceability and accountability for the code that is created at the Home Office, and prevent impersonation when code is attributed to developers.
How might people follow it All engineers to create private/public key pairs and use the private key to sign their committed code Engineering teams to enforce commit signing on their repositories so that they can verify the provenance of all code
Additional information There are lots of useful guides for source control systems on how to set up commit signing https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/ https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/ https://docs.github.com/en/enterprise-cloud@latest/authentication/managing-commit-signature-verification/signing-commits https://confluence.atlassian.com/bitbucketserver/using-gpg-keys-913477014.html https://confluence.atlassian.com/bitbucketserver/using-repository-hooks-776639836.html
Please confirm the below