But what do you do with the signatures on the signed commits? It is of some, lim... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		rietta on Aug 15, 2016 \| parent \| context \| favorite \| on: Setup Keybase.io, GPG and Git to sign commits on G... But what do you do with the signatures on the signed commits? It is of some, limited value, to GPG sign because it does provide a little bit more of "John Hancock" for a release, but how does this work in a continuous integration environment? Does the CI server reject commits that are not properly signed? Does the server refuse to run unsigned or incorrectly signed Git deployed code?

mi100hael on Aug 15, 2016 [–]

It provides a confirmation that the person who's name & email are on a commit actually made the commit. I can configure my instance of git to make commits as "Linus Torvalds <torvalds@linux-foundation.org>", but only the real Linus can sign them with a publicly-verifiable GPG key.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact