Create 'Signing code commits' standard

[edhamiltonHO]

Our engineering standards are the things that we expect engineers to do. Look at the 'writing a standard' standard and provide some brief information below

What is the standard you are suggesting? Everyone who commits code to Home Office source control systems must cryptographically sign their commits

What would be the benefit to the Home Office of adopting this standard? This would enable traceability and accountability for the code that is created at the Home Office, and prevent impersonation when code is attributed to developers.

How might people follow it All engineers to create private/public key pairs and use the private key to sign their committed code Engineering teams to enforce commit signing on their repositories so that they can verify the provenance of all code

Additional information There are lots of useful guides for source control systems on how to set up commit signing https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/ https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/ https://docs.github.com/en/enterprise-cloud@latest/authentication/managing-commit-signature-verification/signing-commits https://confluence.atlassian.com/bitbucketserver/using-gpg-keys-913477014.html https://confluence.atlassian.com/bitbucketserver/using-repository-hooks-776639836.html

Please confirm the below

• [x] I have looked at the writing-a-standard standard and think this would meet the standard
• [x] I have looked through our existing standards and think this is not covered elsewhere
• [x] I have checked through the open issues on the repository and this standard has not already been suggested