Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request juju#15731 from jameinel/2.9-allowed-signers
juju#15731 This lets you set up a verified SSH signing public key, to allow git to verify those commits. Each contributor who wants to use an SSH key instead of a gpg key for verification should add a line that maps their email address to their signing key. Then when checking out juju, you can run: ``` git config gpg.ssh.allowedSignersFile "$(pwd)/allowed_signers" ``` Which will configure the local working directory to trust signatures from allowed_signers. See the guide here: https://docs.gitlab.com/ee/user/project/repository/ssh_signed_commits/ For more details on how to add the content of your public key to the file, and how to configure and check that your signatures are valid. It is also recommended to run: ``` git config --global commit.gpgsign true ``` So that you don't have to pass `-S` to every `git commit` request. You may also want to run: ``` git config log.showSignature true ``` So that every time you run `git log` it will check signed commits and see whether a given commit has been signed or not. Some of the commits in the Juju repository will be generated by Github's bot, which has their signing key at: https://github.com/web-flow.gpg With key signature: 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23 By default, it is not a trusted key, so you may want to download and `gpg --import` that key into your keyring, and then `gpg --edit-key 4AEE18F83AFDEB23` to trust that key. You don't have to, but since it is the key that is making those commits, by trusting it you don't get warnings for every mainline commit that it isn't sure about who create the commit. ## Checklist *If an item is not applicable, use `~strikethrough~`.* - [ ] ~Code style: imports ordered, good names, simple structure, etc~ - [ ] Comments saying why design decisions were made - [ ] ~Go unit tests, with comments saying what you're testing~ - [ ] ~[Integration tests](https://github.com/juju/juju/tree/main/tests), with comments saying what you're testing~ - [ ] ~[doc.go](https://discourse.charmhub.io/t/readme-in-packages/451) added or updated in changed packages~ ## QA steps You should be able to add this allowed_signers file to your git configuration as described above, and have it show you that the signed commits are valid. To trust this file for only this working directory ```sh $ git config gpg.ssh.allowedSignersFile "$(pwd)/allowed_signers" ``` Then: ```sh $ git log --show-signature ``` Should show that *this commit* was correctly signed for `john@arbash-meinel.com`. ## Documentation changes Maybe this description should end up as a signed-commits.md or some other documentation.
- Loading branch information