On 10/24/2017 02:18 PM, Barry Warsaw wrote:
On Oct 24, 2017, at 16:52, Abhilash Raj email@example.com wrote:
Gitlab now supports verification of commit signatures and it would be awesome if we start signing commits. It is a relatively painless process and happens automatically with little configuration.
Very cool that GL has enabled this! Thanks for sending the recipe too. I definitely encourage folks (especially core devs) to start signing commits.
I have set my .gitconfig to automatically sign commits (I already had my signingkey in the [user] section, but I didn't have [commit] gpgsign = true which I now do).
I remember looking into signing commits when we first switched from bzr to git because I was used to signing all commits. At that time, it seemed controversial. See, e.g., http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-tp2582986p2583316.html where linus argues that "Signing each commit is totally stupid." and that you should sign tags but not commits.
I don't know enough about the internals of this to have an opinion, and as I said I will be signing my commits going forward, and the post I link to is over 8 years old and things might have changed, but there it is for what it's worth.