Open jenstroeger opened 2 years ago
I'm open to it, the flag should be provided as a setting as well.
In principle signing commits and verifying their signatures later is a great idea. However, like the Signing Your Work section of the git
documentation states:
Everyone Must Sign
Signing tags and commits is great, but if you decide to use this in your normal workflow, you’ll have to make sure that everyone on your team understands how to do so.
And also:
This command uses GPG to verify the signature. You need the signer’s public key in your keyring for this to work properly: […]
So, while we could probably add support for this to cz
, the user of this feature would actually need to understand the larger context and requirements for using it. See also the Verifying signed git commits? discussion on Stackoverflow.
I think a section in the tutorials for "Working with signed commits" could help a lot, within the context of commitizen. Like crafted specially around the team requiring this flag --require-signed-commits
Enforcing GPG signatures for all local commits + commits detected for example by the CI pipeline could be interesting.
However, to avoid a requirement of all public keys, it could be split into two steps :
--require-signed-commits
: Validate all commits have a GPG signature key--require-known-signatures
: Validate all commits have a known GPG signature keyExample of git log --show-signature
with local test keys for #347 :
commit 86fec63b8cbe091a8c3634fb53f6b17ee6f3a003 (HEAD -> master)
+gpg: Signature made Thu Aug 22 00:58:11 2024 UTC
+gpg: using RSA key 869BF1DE64A47C3CA620CC7BBC48BD5325580A88
+gpg: Good signature from "Your Name <you@example.com>" [ultimate]
Author: Your Name <you@example.com>
Date: Thu Aug 22 00:58:10 2024 +0000
fix: test
test
commit 33e0a4f30ec64dba45025327099fa6434828bb01
-gpg: Signature made Thu Aug 22 00:45:29 2024 UTC
-gpg: using RSA key B5223F050566C58849C4F8B36CCA433D9CD0572E
-gpg: Can't check signature: No public key
Author: Your Name <you@example.com>
Date: Thu Aug 22 00:45:29 2024 +0000
fix(test): test
Description
To increase trust in commits, particularly in the context of current software supply-chain issues, it may be useful to enforce signed commits with various
cz
commands. To maintain backwards compatibility, this should be an opt-in feature.For example,
would fail if one or more of the commits for the change are unsigned.
Possible Solution
Iterate over the commits of a change set and use
git verify-commit <SHA>
.Additional context
Of the current commitizen commands:
the proposed, optional command-line switch
--require-signed-commits
could also be useful tocommit
,bump
,changelog
, andcheck
.Additional context
No response