On 24 Feb 2017, at 18:04, Owen O'Malley <omal...@apache.org<mailto:omal...@apache.org>> wrote:
I think gpg signing of commits is a good practice. It also strongly discourages rebasing on master and release branches, which is also a good thing. On ORC, we try to sign all of our commits. .. Owen good to know it works. What are the troublespots? FWIW, I'm actually keeping the key and its signage on this little toy https://www.yubico.com/product/y4/ which works except on the newly rebuilt macbook pro, the "Vieullez entre votre Pin" prompts all appear in french. Either I fix that or I lean a bit of French I never knew before. No idea why On Fri, Feb 24, 2017 at 3:36 AM, Steve Loughran <ste...@hortonworks.com<mailto:ste...@hortonworks.com>> wrote: For the next few days I'm experimenting with the -S option on signing commits, which tells git to ask gpg to sign the commit, which will then somehow get the little yubikey plugged into my laptop to do the signing Because I've uploaded the public bit of the key to my github repo, Github can authenticate that it really was me doing the commit https://github.com/apache/hadoop/commit/9c22a91662af24569191ce45289ef8 266e8755cc and, if i'm trusted in your keyring, a git log --show-signature git log --show-signature 9c22a91662 commit 9c22a91662af24569191ce45289ef8266e8755cc gpg: Signature made Fri 24 Feb 10:41:40 2017 GMT gpg: using RSA key 950CC3E032B79CA2 gpg: Good signature from "Steve Loughran <ste...@apache.org<mailto:ste...@apache.org><mailto:stev e...@apache.org<mailto:e...@apache.org>>>" [ultimate] Author: Steve Loughran <ste...@apache.org<mailto:ste...@apache.org><mailto:ste...@apache.org>> Date: Fri Feb 24 10:41:36 2017 +0000 HADOOP-14114 S3A can no longer handle unencoded + in URIs. Contributed by Sean Mackrory. (cherry picked from commit ff87ca84418a710c6dc884fe8c70947fcc6489d5) You ca also use GPG to sign a tag, then use git verify-tag to check the signature; this stops anyone being able to silently move a tag: you can move a tag, but then it's signature is invalid Will it help make our code and development process more secure? Not really, not if our build depends on pulling down artfacts from random places with an MD5 or SHA1 validation *at best*. And signing patches doesn't magically make the code inside secure. But it does at least add some chain of provenance to who actually put stuff in, rather than the logged committer of any patch being whoever that user chose to declare themselves to be. I'm only doing this for the never-rebased branches, and of course when something gets cherry picked, the signature becomes invalid. I'll decide after a week or two whether its a viable process. The opinions/experience of others would be useful here -Steve ps, key in question: https://pgp.mit.edu/pks/lookup?op=get&search= 0x950CC3E032B79CA2