Github supports signing commits using the PGP key.
We have an open source project that accepts participants from people without PGP keys. Security is important to us, so we decided that every person who combines traction requests will sign merges with their PGP key, and therefore each actual commit will be either directly signed by the author, and / or by merge.
What is the best way to set up continuous integration that makes this true? We want the build to fail, the alarms disappear, and perhaps the commit / merge is returned if someone commits or merges the code into the main repo without signing it using the PGP key from a specific list of authorized keys.
We use github, so I think github hooks can help. I believe that we are using Jenkins for CI, however this probably does not matter since it will be a custom script.
To clarify: The project accepts contributions from open source developers, and we will not require each of them to have a PGP key. However, each of the people with merge rights on github must have a PGP key, and the assembly I propose will verify this. Merges themselves will be PGP-signed, even if not every commit.
source
share