Hacker News new | past | comments | ask | show | jobs | submit login

Is there a way to sign your merge commits on GitHub? How do they get trusted?



Signing commits is a local affair, you don't want to be uploading your private key to Github. You sign locally via command line and then push to Github where they get verified with your public key.


Local (and preferable with HSM) is the only way, or else it would undermine the point of signing commits.

Through if you just want commits to be signed, then GitHub does it for you as it (always??) signs commits created by their UI/System with their key.

Generally I would recommend FF-Only commits (independent of signing) and local auto-signing of all commits.


Github is signing them with their own key when you merge through the web UI


Yes. Here's an excerpt from their documentation on <https://docs.github.com/en/github/authenticating-to-github/m...>:

> GitHub will automatically use GPG to sign commits you make using the GitHub web interface


It’s even worse, if somebody rebase-merges a pull request that you authored (thereby creating a new commit that you did not author), GitHub will show you as the author (without a separate committer, like it normally does when author and committer differ), and put “verified” next to it, which usually means that they verified that it was signed by your GPG key, but in this case, it means that the commit was created by GitHub.

https://twitter.com/vmulps/status/1386717970458677250


Says it signs the commit with its own key. I guess you have to trust GitHub.


Well, yes. The question was whether you can sign _on GitHub_, so your private key has to be available to GitHub. You can always sign locally if you don't trust GitHub.


What else would they be signing with? They don’t have your key obviously


Well that was my point - I wonder why we haven't set up a system that lets me sign the merge commit. Otherwise it's a commit purported to be authored by me but when you look it's actually signed by someone else.


You can sign your commits with a GPG key, in your GitHub settings you can then link a GPG key to your account.

You can then make it that GitHub shows any non signed commit as unverified and at a project level not allow PRs that contain unsigned commits.


> you can then link a GPG key to your account

I think you can only link a GPG public key though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: