GPG Signing: let user provide signature #9723
Labels
issue/confirmed
Issue has been reviewed and confirmed to be present or accepted to be implemented
topic/commit-signing
type/feature
Completely new functionality. Can only be merged if feature freeze is not active.
Comments
zeripath
added
the
type/feature
|
This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions. |
zeripath
added
the
issue/confirmed
|
#14483 may resolve the problem. A private gpg key could be stored in secrets manager and be used when necessary. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Although we now have a way of automatically signing commits, these will be signed with a key held on the server.
Some users might prefer to sign things themselves without having their private key on the server but would still want to sign automated commits.
This could be supported by presenting to the user the payload of a commit to sign which they could respond with a valid signature which is to be embedded in the commit.
This would require some changes to our temporary pushing repositories as the commits would need to hang around or be recalculated each time. The user probably would also need some way of checking that the commit they're signing actually represents what they think they're signing.
Assuming such problems are not insurmountable two immediate extensions come to mind:
The text was updated successfully, but these errors were encountered: