There is a way to do that. When you become a committer, you can register a key at [1], then that key (public key) is loaded to [2]. The key is associated with the committer’s login. For instance, this is my public key [3].
[1] id.apache.org [2] https://people.apache.org/keys/committer/ [3] https://people.apache.org/keys/committer/rafael.asc On Wed, Apr 6, 2016 at 11:04 AM, Will Stevens <[email protected]> wrote: > I don't think it is quite this simple. There would have to be a way for > the GPG key to be associated with a specific ASF identity and I don't think > that is in place at this time. Also, there would have to be verification > that the person who is committing has a GPG key AND that they are a > committer in ASF and have an identity there. I think there are more moving > parts here than meet the eye, but we can definitely continue the discussion > and see where it can lead. > > *Will STEVENS* > Lead Developer > > *CloudOps* *| *Cloud Solutions Experts > 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 > w cloudops.com *|* tw @CloudOps_ > > On Wed, Apr 6, 2016 at 5:00 AM, Wido den Hollander <[email protected]> wrote: > > > > > > Op 6 april 2016 om 10:50 schreef Daan Hoogland < > [email protected] > > >: > > > > > > > > > Good reading for the Wednesday morning;) yes I think we need to go > there > > > and maybe even ask it of our contributors. > > > > > > > It might please the ASF since we can now prove who made the commit. If we > > ask > > all committers to upload their public key and sign their commits we can > > check > > this. > > > > For Pull Requests we can probably also add a hook/check which verifies > if a > > signature is present. > > > > Wido > > > > > On Wed, Apr 6, 2016 at 9:28 AM, Wido den Hollander <[email protected]> > > wrote: > > > > > > > Hi, > > > > > > > > Github just added [0] support for verifying GPG signatures of Git > > commits > > > > to the > > > > web interface. > > > > > > > > Under the settings page [1] you can now add your public GPG key so > > Github > > > > can > > > > verify it. > > > > > > > > It's rather simple: > > > > > > > > $ gpg --armor --export [email protected] > > > > > > > > That gave me my public key which I could export. > > > > > > > > Git already supports signing [2] commits with your key. > > > > > > > > This makes me wonder, is this something we want to enforce? To me it > > seems > > > > like > > > > a good thing to have. > > > > > > > > Wido > > > > > > > > [0]: https://github.com/blog/2144-gpg-signature-verification > > > > [1]: https://github.com/settings/keys > > > > [2]: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work > > > > > > > > > > > > > > > > -- > > > Daan > > > -- Rafael Weingärtner
