On Oct 24, 2017, at 18:56, Mark Sapiro <mark@msapiro.net> wrote:
I remember looking into signing commits when we first switched from bzr to git because I was used to signing all commits. At that time, it seemed controversial. See, e.g., <http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-tp2582986p2583316...> where linus argues that "Signing each commit is totally stupid." and that you should sign tags but not commits.
I don't know enough about the internals of this to have an opinion, and as I said I will be signing my commits going forward, and the post I link to is over 8 years old and things might have changed, but there it is for what it's worth.
I’m not sure that any of the points Linus brings up in that thread have changed, but I’m also not sure how relevant they are to our workflow. It’s interesting enough that Gitlab is now showing the verified tag for signed commits, although TBH, I’m also not sure how much that buys us in practice. Still, it’s easy enough to experiment with, so let’s do it and see if it has any practical impact on us, either pro or con.
-Barry