On 07/03/2015 05:19 PM, Andrew Savchenko wrote: > > As I see from git docs only commits and tags may be signed. There > is no way to sign a push.
This was new to me, but check out the "--signed" flag of git-push (1). > Moreover there is no need to sign each > commit, see what Linux says on that: > http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html > > '' > Btw, there's a final reason, and probably the really real one. > Signing each commit is totally stupid. It just means that you > automate it, and you make the signature worth less. It also doesn't > add any real value, since the way the git DAG-chain of SHA1's work, > you only ever need _one_ signature to make all the commits > reachable from that one be effectively covered by that one. So > signing each commit is simply missing the point. > '' I think the next sentence is relevant: IOW, you don't _ever_ have a reason to sign anything but the "tip". My interpretation is that it doesn't make sense to sign commits one through nine if you're going to sign the tenth before pushing. But most of our commits are small and self-contained so it's probably easier to automate the signing with repoman than it would be to come up with a to-sign-or-not-to-sign guide a mile long.
