Git supports signing with SSH keys, although documentation is scarce (I
only found <https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/>).
Could support for SSH keys only for signing commits (i.e. no access to
any (private) repositories) be added? Would patches be accepted?
On 11/20/23 21:56, Jackson wrote:
> Git supports signing with SSH keys, although documentation is scarce (I > only found <https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/>).> > Could support for SSH keys only for signing commits (i.e. no access to > any (private) repositories) be added? Would patches be accepted?
Not sure I understand what you are trying to achieve. You should be able
to sign your commits with whatever key you see fit, PGP or SSH, no
special support from our side needed. If you don't want the key to have
access to your repos, simply don't add it to your account?
On Wed Nov 22, 2023 at 5:09 PM CET, Conrad Hoffmann wrote:
> Not sure I understand what you are trying to achieve.
One thing is that it would make validating these signatures easier since
sourcehut provides an easy way to retrieve any accounts SSH keys.
--
Moritz Poldrack
https://moritz.sh> For best results, follow directions carefully.
On 2023-11-22 17:09, Conrad Hoffmann wrote:
> Not sure I understand what you are trying to achieve. You should be able > to sign your commits with whatever key you see fit, PGP or SSH, no > special support from our side needed. If you don't want the key to have > access to your repos, simply don't add it to your account?
Oh, you're right. I can just simply not add the SSH key to my account.
In the case of GitHub and GitLab, they can verify commit signatures and
show them as verified on the web interface. Both provide adding SSH keys
only for the purposes of signing commits.
I didn't consider that sourcehut still doesn't have commit signature
verification when asking my question.