Having a hard time understanding the threat model for signing commits.
Conversation
Replying to
It doesn't work well since commits get cherry picked and rebased. Is it supposed to mean that the committer reviewed the patch or just that it was them who applied it? Commits from original authors would almost always get stripped away when applying changes from others cleanly.
1
4
It's a poorly designed feature even for tags. Tags are clearly meant to be immutable and Git doesn't separate tags from different sources. If you wanted to rotate the signing key, you would need to create new tags or ignore that the existing tags couldn't be verified anymore.
1
3
Signatures should be based on Git notes so they can be attached to an object after the fact and there wouldn't be the limit of only having a single signature from one person. It also avoids having it tied to a horrible legacy approach to signing (GPG). Still depends on SHA-1...
Replying to
GrapheneOS still uses signed tags but we're planning on switching to attaching signify signatures via notes unless Git adds a reasonable replacement for PGP signed tags in the near future.
From our perspective, it's almost more harmful to have GPG signatures than nothing at all.
1
5
Show replies