On Sat, Jul 04, 2015 at 12:19:41AM +0300, Andrew Savchenko wrote: > As I see from git docs only commits and tags may be signed. There > is no way to sign a push. Moreover there is no need to sign each > commit, see what Linux says on that: > http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html That was Linus's 2009 opinion, and he changed his mind since then, with the research into further attacks on SHA1.
Git (since 2.2) DOES support signed push. Look at the manpage for git-push, for the --signed option: http://git-scm.com/docs/git-push The point of signed commits is to authenticate the creator of each commit. The point of signed pushes is to authenticate who introduced a commit (it might NOT be the person who signed the commits) and intended it to be on a specific branch. A slightly out of date, but good backgrounder on signed commits is here: http://mikegerwitz.com/papers/git-horror-story The StackOverflow asking about signed push is a good reference as well: http://stackoverflow.com/questions/27299355/why-does-git-need-signed-pushes -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
