points by luizfelberti 7 years ago

I've mostly been able to avoid PGP, but one workflow that I haven't been able to find a decent alternative for it Git commit signing.

Does anyone know good alternatives in this space?

tuxxy 7 years ago

Linus himself has expressed his opinion several times that signing every commit is useless. His posts here explain it a bit: http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-t...

  • luizfelberti 7 years ago

    Well yes, signing every commit is useless. He did not however, at any point during that exchange, express the idea that commit signing is a useless activity. And that is what I was referring to.

    Currently Git seems to be very much integrated with GnuPG and the same goes for GitHub's UX sprinkles over the signing feature. That is what I'd like a decent alternative to.

    I considered using OpenBSD's signify but it does not integrate as nicely as GnuPG signing so I'd basically be rolling my own mechanism (which is fine I guess, but feels subpar)

    • Boulth 7 years ago

      For the record git signing can also use X.509 certificates but from what I see it's still managed by GnuPG.

  • eddieoz 7 years ago

    Signing every commit can be useless, but signing the releases seems to be important and useful, mainly if the developer releases compiled binaries.