[Request] Sign the source code

[beantaco]

Threats against software development projects are on the rise, and this problem is especially important for privacy tools like Ricochet Refresh.

Currently, it appears no commits are signed. My understanding is it's therefore possible for someone to make commits while impersonating developers. Further, it's possible for anyone to add/modify/remove unsigned commits to make changes to the code. These attacks could be done to compromise the project entirely or to target individual users.

Git allows users to verify and automatically sign commits and tags.

# Information about key
[user]
  name = <name>
  email = <email>
  signingKey = <fingerprint>

# Aliases for convenience :-)
[alias]
  stag = tag --sign
  vlog = log --show-signature
  vshow = show --show-signature

# Sign commits (git commit -S)
[commit]
  gpgSign = true

# Sign annotated tags (get tag -S)
[tag]
  gpgSign = true  # git >= 2.23. Use `git stag` otherwise
  forceSignAnnotated = true

I am no expert on signing source code and integrating that into a development workflow with the aim of security, so I can't make a recommendation of signing commits vs signing merges vs signing tags. However, I suspect all commits should be signed in order to prevent the attacks I describe above. Further security measures may also be necessary, like requiring at least X number of devs review commits before accepting merges, whitelisting accepted keys and doing key rotation securely. I understand that resolving this issue is potentially tricky due to the need to manage keys, decide on a strategy and retroactively check and sign all existing commits.

If anyone knows what may be best practice, please comment. :-)

[pospeselr]

v3.0.11-release tag is signed by moi and we will sign all future release tags going forward.