On Wed, Apr 6, 2016 at 11:00 AM, Wido den Hollander <w...@widodh.nl> wrote:
> > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogl...@gmail.com > >: > > > > > > Good reading for the Wednesday morning;) yes I think we need to go there > > and maybe even ask it of our contributors. > > > > It might please the ASF since we can now prove who made the commit. If we > ask > all committers to upload their public key and sign their commits we can > check > this. > > For Pull Requests we can probably also add a hook/check which verifies if a > signature is present. > and revoke/allow committer acces s to the organisation based on it ... life is great. > > Wido > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <w...@widodh.nl> > wrote: > > > > > Hi, > > > > > > Github just added [0] support for verifying GPG signatures of Git > commits > > > to the > > > web interface. > > > > > > Under the settings page [1] you can now add your public GPG key so > Github > > > can > > > verify it. > > > > > > It's rather simple: > > > > > > $ gpg --armor --export w...@widodh.nl > > > > > > That gave me my public key which I could export. > > > > > > Git already supports signing [2] commits with your key. > > > > > > This makes me wonder, is this something we want to enforce? To me it > seems > > > like > > > a good thing to have. > > > > > > Wido > > > > > > [0]: https://github.com/blog/2144-gpg-signature-verification > > > [1]: https://github.com/settings/keys > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > > > > > > > > > > > -- > > Daan > -- Daan
