two examples of commit signature checkers

ede139a0 · anarcat · 72ea5721 · ede139a0
Verified Commit ede139a0 authored 1 year ago by anarcat
--- a/howto/gitlab.md
+++ b/howto/gitlab.md
@@ -1526,6 +1526,14 @@ which declares a good hash and a signing key.
 This also requires a custom client. But it serves as a good example of
 an extreme approach (validate everything) one could take.

+Note that GitLab Premium (non-free) has support for [push rules](https://docs.gitlab.com/ee/user/project/repository/push_rules.html)
+and in particular a "Reject unsigned commits" rule.
+
+Another implementation is SourceWare's [gitsigur](https://sourceware.org/git/gitsigur.git) which verifies
+all commits (200 lines Python script), see also [this discussion](https://inbox.sourceware.org/overseers/ZJ3Tihvu6GbOb8%2FR@elastic.org/T/)
+for a comparison. A similar project is Gentoo's [update-02-gpg](https://gitweb.gentoo.org/infra/githooks.git/tree/local/update-02-gpg)
+bash script.
+
 ### Arista: sign all commits in Gerrit

 Arista wrote a blog post called [Commit Signing with Git at Enterprise