Signing Commits

[benrobot]

When I develop at my desktop I regularly use:

git commit -S -m "Fixed something..."

Where -S in the command causes the commit to get signed with my private key. When I push the changes to GitHub, GitHub verifies the signature against my public key that I uploaded to them previously. They even put a little button that says Verified next to each commit that I signed.

I'd like for commits made from my GitPod to somehow be signed as well. I can think of two options at the moment:

1. Invent a process where git commit -S outputs the string to be signed and waits for the user to copy that string locally, use GPG to sign it with her private key and then copy the signed output back into the GitPod command line that was waiting for it. This option may not be possible without coding some new commit signing handler.
2. Maybe GitPod could sign the commit similar to how GitHub signs commits when editing a file using their Web interface.

Here's a little more information related to option 2:
According to this page Managing commit signature verification GitHub will automatically sign commits you make using the GitHub web interface.

[corneliusludmann]

In my opinion, option 1 seems to be rather complicated and cumbersome. Option 2 is not possible unless (a) Gitpod has your private GPG key or (b) generates a private GPG key whose public key you need to add to GitHub. In both cases Gitpod have to manage the secure storage of the private key of the users.

See also the discussion of #666.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.