I don't think it is quite this simple. There would have to be a way for the GPG key to be associated with a specific ASF identity and I don't think that is in place at this time. Also, there would have to be verification that the person who is committing has a GPG key AND that they are a committer in ASF and have an identity there. I think there are more moving parts here than meet the eye, but we can definitely continue the discussion and see where it can lead.
*Will STEVENS* Lead Developer *CloudOps* *| *Cloud Solutions Experts 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* tw @CloudOps_ On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <w...@widodh.nl> wrote: > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland <daan.hoogl...@gmail.com > >: > > > > > > Good reading for the Wednesday morning;) yes I think we need to go there > > and maybe even ask it of our contributors. > > > > It might please the ASF since we can now prove who made the commit. If we > ask > all committers to upload their public key and sign their commits we can > check > this. > > For Pull Requests we can probably also add a hook/check which verifies if a > signature is present. > > Wido > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <w...@widodh.nl> > wrote: > > > > > Hi, > > > > > > Github just added [0] support for verifying GPG signatures of Git > commits > > > to the > > > web interface. > > > > > > Under the settings page [1] you can now add your public GPG key so > Github > > > can > > > verify it. > > > > > > It's rather simple: > > > > > > $ gpg --armor --export w...@widodh.nl > > > > > > That gave me my public key which I could export. > > > > > > Git already supports signing [2] commits with your key. > > > > > > This makes me wonder, is this something we want to enforce? To me it > seems > > > like > > > a good thing to have. > > > > > > Wido > > > > > > [0]: https://github.com/blog/2144-gpg-signature-verification > > > [1]: https://github.com/settings/keys > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > > > > > > > > > > > -- > > Daan >
