Enable commit signing

[wlynch]

Feature request

We should enable commit signing so that commits to main are signed and can be verified.

Ideally it'd be great if everyone could sign commits, but to start enabling for the Prow/Tide submit job is probably okay.

Use case

So we can meet SLSA L3 Verified History requirements.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[afrittoli]

/remove-lifecycle stale

[afrittoli]

/lifecycle frozen this is something that we need to do

[afrittoli]

@wlynch do you know how signing plays with automatic squash of commits? Is prow able to re-sign the commits with a bot identity after they are squashed into one, or does signing mean that contributors must craft their own one/two commit per PR and re-sign before merge?

[wlynch]

Pretty much in any case (unless it's a pure fast-forward) the prow robot user should take over as the committer and write its own signature - this would apply to squash, merge, or rebase. The original author should be preserved as the author.

[afrittoli]

Do you know if that's supported by tide today? I can look into it - if not we would need to either work with the k8s test-infra team to support that in tide or write our own bot (which I'd rather not).

[wlynch]

I think so? Looks like the commits for k/k are signed by the GitHub web-flow key -

[vdemeester]

Ah interesting 👼🏼

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[afrittoli]

/lifecycle frozen