On Fri, 3 Jul 2015 21:40:50 +0000 Robin H. Johnson wrote: > On Sat, Jul 04, 2015 at 12:19:41AM +0300, Andrew Savchenko wrote: > > As I see from git docs only commits and tags may be signed. There > > is no way to sign a push. Moreover there is no need to sign each > > commit, see what Linux says on that: > > http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html > That was Linus's 2009 opinion, and he changed his mind since then, with > the research into further attacks on SHA1. > > Git (since 2.2) DOES support signed push. Look at the manpage for > git-push, for the --signed option: > http://git-scm.com/docs/git-push
We have a rule of "one year compatibility period". ChangeLog shows that git-2.2.0 was introduced on 02 Dec 2014. So pushed commits can't be enforced before 02 Dec 2015. (And yes, my laptop still uses an older version, that's why I was unable to find --sign in the git-push manual.) Best regards, Andrew Savchenko
pgpX34YRGtbiW.pgp
Description: PGP signature