Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG-sign the commits made by @JuliaRegistrator and @jlbuild #11327

Closed
2 tasks
DilumAluthge opened this issue Mar 22, 2020 · 1 comment
Closed
2 tasks

GPG-sign the commits made by @JuliaRegistrator and @jlbuild #11327

DilumAluthge opened this issue Mar 22, 2020 · 1 comment

Comments

@DilumAluthge
Copy link
Member

Since so many users rely on the General registry, it would be nice to increase the level of security.

I don't think that it is feasible to ask all users that make manual PRs to General to GPG-sign their commits.

I do think, however, that is it reasonable for the two main bot users that generate automated PRs to General (@JuliaRegistrator and @jlbuild) to GPG-sign their automatically generated commits.

Related issues:
@DilumAluthge
Copy link
Member Author

We have taken the following two steps:

  1. Configure AutoMerge to always use squash-merge
  2. In the GitHub repo settings for this repo, disable the "merge" and "rebase and merge" options for merging. The only option for merging is squash-merge.

As a result, the commits on a General are now GPG-signed by GitHub's web flow GPG key. See for example the following screenshot:

203373B0-F6B2-47E9-8CCB-562474C97637

So this is resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DilumAluthge