A possibly useful hook for detecting non-GPG-signed commits #1242
Description
Some projects require GPG-signing all your commits. From a security perspective, this is verified by the server.
It's easy to configure your git client to GPG-sign all your commits by default.
But some tools don't support GPG-signing (for example, my beloved GitUp). It's trickier than it sounds to add GPG signing to some tools, it appears...
I often find myself in a situation where I finish some work, create a PR using the gh CLI tool (knowing that it'll take some time to run the tests and the whole CI pipeline), then switch context (focus on some other work).
15 minutes later, I switch contexts again, check on the PR, the tests succeeded, but the system says "there are some unsigned commits".
So I think that it would be useful to actually have a local (even personal, global) way to prevent pushes with unsigned commits, so people can catch such situations very early (and re-sign commits, I actually have a script that does it in one go). It's language-agnostic, so I think it could live in this repo.
What do you think? Do you have some feedback? Do you agree it's suitable for this repo, or is it too niche a use case in your opinion?