Well yes, signing every commit is useless. He did not however, at any point during that exchange, express the idea that commit signing is a useless activity. And that is what I was referring to.
Currently Git seems to be very much integrated with GnuPG and the same goes for GitHub's UX sprinkles over the signing feature. That is what I'd like a decent alternative to.
I considered using OpenBSD's signify but it does not integrate as nicely as GnuPG signing so I'd basically be rolling my own mechanism (which is fine I guess, but feels subpar)
Linus himself has expressed his opinion several times that signing every commit is useless. His posts here explain it a bit: http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-t...
Well yes, signing every commit is useless. He did not however, at any point during that exchange, express the idea that commit signing is a useless activity. And that is what I was referring to.
Currently Git seems to be very much integrated with GnuPG and the same goes for GitHub's UX sprinkles over the signing feature. That is what I'd like a decent alternative to.
I considered using OpenBSD's signify but it does not integrate as nicely as GnuPG signing so I'd basically be rolling my own mechanism (which is fine I guess, but feels subpar)
For the record git signing can also use X.509 certificates but from what I see it's still managed by GnuPG.
Signing every commit can be useless, but signing the releases seems to be important and useful, mainly if the developer releases compiled binaries.