add-verified-gpg-signature-to-git-settings
david-thrower opened this issue · 0 comments
david-thrower commented
Kind of issue: Process Change
After viewing a recent security tutorial and other sources, I am seeing that some frameworks require a local GPG signature for commits [1] before a commit can be merged in. We need to add to the CICD SOP or SOP-0001 a requirement that this setting be applied. The setting to create these signatures is easy to apply [2].
[1] https://garantir.io/three-frameworks-software-supply-chain-security/
[2] https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits