GPG signature is missing
mxr576 opened this issue · 7 comments
I have GPG signed commits in the monorepo but the commits in the read-only splits are not signed. Is it a missing feature or am I doing something wrong?
I guess this tool is being used to manage Symfony's monorepo and if I am not mistaken the same problem exists there. Commits are only signed in the monorepo but not in a split.
vs.
I don't think we can keep the signature as the commit is different (so the signature would be different).
Yes, this is what I thought so after I realized that split creates new commits. Although, if someone knows a way to keep it still that would be super cool.
That's impossible. That would mean the new commit needs to be signed (and we would need the PGP key for that). Let's close.
Hi,
Sorry for digging up this topic. I also have mono-repo/many-repo split with gitsplit (thank you for this great tool by the way) and have the same concern.
Especially, I recently noted the supply chain attack on packagist and read about several ideas on composer (here and here).
That's impossible. That would mean the new commit needs to be signed (and we would need the PGP key for that). Let's close.
I am not sure it is impossible. In order to ease the release process, I use a Github action where the GPG private key is passed as an env var.
Tell me if I am wrong, but gitsplit should be able to do the same and sign all commits and tags it creates.
With the signatures, it should also be possible to prevent supply chain attacks by having a list of trusted organisation key thumbprints or hashes.
It looks like git2go has now some support for signing commits (see https://github.com/libgit2/git2go/blob/4b14d29c207e9969ea62a7fe07d490b036c14722/commit.go#L85-L92) and there is a snippet for signing commits available at https://github.com/libgit2/git2go/blob/4b14d29c207e9969ea62a7fe07d490b036c14722/rebase_test.go#L223-L231