paragonie / airship

Secure Content Management for the Modern Web - "The sky is only the beginning"
https://cspr.ng
Other
418 stars 41 forks source link

Sign all Git Commits #150

Open paragonie-scott opened 8 years ago

paragonie-scott commented 8 years ago

(Beating @rugk to the punch.)

Does PHPStorm support this? If not, I'm fine with switching to command line for each commit if it means better security.

kelunik commented 8 years ago

It also means no rebasing of existing PRs. Keep that in mind.

rugk commented 8 years ago

existing PRs

What? Is "existing" supposed to be a verb?

In any way you can merge PRs (not from GitHub's online interface though), but you can...

kelunik commented 8 years ago

What? Is "existing" supposed to be a verb?

of → or, typo.

In any way you can merge PRs (not from GitHub's online interface though), but you can...

I think you can merge via GitHub's interface, you just can't squash and rebase other PRs and force-push them to be up-to-date.

rugk commented 8 years ago

I mean when you merge via GitHubs web UI the merge commit is not signed. So that's the issue here.

Here are some resources about signing git commits:

kelunik commented 8 years ago

@rugk Yes, right, the merge commit will not be signed. But I guess also most commits by other people making PRs won't be signed. Usually it's enough to sign releases. Everything else brings rather little benefit.

rugk commented 8 years ago

Yes, but if the merge commit is signed, all other commits included in this merge (so commits by other contributors) do not need to be signed. It just matters that the HEAD is signed.

paragonie-scott commented 8 years ago

I've been following the discussions elsewhere. I'm not entirely convinced that this is something we need to do today, but is certainly worth looking into down the line.