Check commit signatures when using cz

[jenstroeger]

Description

To increase trust in commits, particularly in the context of current software supply-chain issues, it may be useful to enforce signed commits with various cz commands. To maintain backwards compatibility, this should be an opt-in feature.

For example,

cz bump --changelog --require-signed-commits --yes

would fail if one or more of the commits for the change are unsigned.

Possible Solution

Iterate over the commits of a change set and use git verify-commit <SHA>.

Additional context

Of the current commitizen commands:

commands:
  {init,commit,c,ls,example,info,schema,bump,changelog,ch,check,version}
    init                init commitizen configuration
    commit (c)          create new commit
    ls                  show available commitizens
    example             show commit example
    info                show information about the cz
    schema              show commit schema
    bump                bump semantic version based on the git log
    changelog (ch)      generate changelog (note that it will overwrite existing file)
    check               validates that a commit message matches the commitizen schema
    version             get the version of the installed commitizen or the current project (default: installed commitizen)

the proposed, optional command-line switch --require-signed-commits could also be useful to commit, bump, changelog, and check.

Additional context

No response

[woile]

I'm open to it, the flag should be provided as a setting as well.

[jenstroeger]

In principle signing commits and verifying their signatures later is a great idea. However, like the Signing Your Work section of the git documentation states:

Everyone Must Sign

Signing tags and commits is great, but if you decide to use this in your normal workflow, you’ll have to make sure that everyone on your team understands how to do so.

And also:

This command uses GPG to verify the signature. You need the signer’s public key in your keyring for this to work properly: […]

So, while we could probably add support for this to cz, the user of this feature would actually need to understand the larger context and requirements for using it. See also the Verifying signed git commits? discussion on Stackoverflow.

[woile]

I think a section in the tutorials for "Working with signed commits" could help a lot, within the context of commitizen. Like crafted specially around the team requiring this flag --require-signed-commits

[AdrianDC]

Enforcing GPG signatures for all local commits + commits detected for example by the CI pipeline could be interesting.

However, to avoid a requirement of all public keys, it could be split into two steps :

• --require-signed-commits : Validate all commits have a GPG signature key
• --require-known-signatures : Validate all commits have a known GPG signature key

Example of git log --show-signature with local test keys for #347 :

 commit 86fec63b8cbe091a8c3634fb53f6b17ee6f3a003 (HEAD -> master)
+gpg: Signature made Thu Aug 22 00:58:11 2024 UTC
+gpg:                using RSA key 869BF1DE64A47C3CA620CC7BBC48BD5325580A88
+gpg: Good signature from "Your Name <you@example.com>" [ultimate]
 Author: Your Name <you@example.com>
 Date:   Thu Aug 22 00:58:10 2024 +0000

    fix: test
    
    test

 commit 33e0a4f30ec64dba45025327099fa6434828bb01
-gpg: Signature made Thu Aug 22 00:45:29 2024 UTC
-gpg:                using RSA key B5223F050566C58849C4F8B36CCA433D9CD0572E
-gpg: Can't check signature: No public key
 Author: Your Name <you@example.com>
 Date:   Thu Aug 22 00:45:29 2024 +0000

    fix(test): test