... | ... | @@ -1526,6 +1526,14 @@ which declares a good hash and a signing key. |
|
|
This also requires a custom client. But it serves as a good example of
|
|
|
an extreme approach (validate everything) one could take.
|
|
|
|
|
|
Note that GitLab Premium (non-free) has support for [push rules](https://docs.gitlab.com/ee/user/project/repository/push_rules.html)
|
|
|
and in particular a "Reject unsigned commits" rule.
|
|
|
|
|
|
Another implementation is SourceWare's [gitsigur](https://sourceware.org/git/gitsigur.git) which verifies
|
|
|
all commits (200 lines Python script), see also [this discussion](https://inbox.sourceware.org/overseers/ZJ3Tihvu6GbOb8%2FR@elastic.org/T/)
|
|
|
for a comparison. A similar project is Gentoo's [update-02-gpg](https://gitweb.gentoo.org/infra/githooks.git/tree/local/update-02-gpg)
|
|
|
bash script.
|
|
|
|
|
|
### Arista: sign all commits in Gerrit
|
|
|
|
|
|
Arista wrote a blog post called [Commit Signing with Git at Enterprise
|
... | ... | |