Question about signed commits using gpg keys and "Rebase if necessary" merge strategy.

[Shashank Yadav]

I was curious about how gerrit handles the case where a commit signed by a user is merged to master after a rebase due to "Rebase if necessary" merge strategy, which would break the signature done by the user (as after rebase the commit's parent which is a part of signed data changes after the rebase). Is there a way by which gerrit can be configured to run git rebase with custom parameters like `-gpg-sign=<automation key>` when it invokes rebase while merging?

[Shashank Yadav]

Also the same issue would happen with other rebase strategies like merge If necessary and cherry pick (everything apart from fast forward only) as well since new commits are being generated in these cases which would require the commits to be signed by an automation user during these operations to ensure all commits in master branch have a valid GPG signature associated with each commit which can be verified/audited if necessary.

[Gert van Dijk]

Please see also Issue 10862 [1]; Gerrit does not yet support signed commits at all at this time (it does support receiving signed tags and signed pushes).

I haven't yet tried on what happens if Gerrit would rebase a signed commit of a change. Please note that Gerrit uses JGit, so there's no 'git' command being run that could be adjusted to include some parameters like you mentioned. JGit has only gained support for signing commits recently [2], so theoretically this could be implemented in Gerrit some day with all kinds of options on how/what Gerrit could automatically sign a commit it amends for the user.

I suggest to file that as a separate feature request as 10862 basically describes a verification UI during review rather than post-submit signatures.

HTH

[1]: https://bugs.chromium.org/p/gerrit/issues/detail?id=10862

[2]: https://wiki.eclipse.org/JGit/New_and_Noteworthy/5.3#Features

[Shashank Yadav]

Thanks for the reply, Gert! I am aware that the jgit gurrently only supports signing commits after this jgit review in January. So to conclude my original question, supporting verifying git commits in gerrit will not be possible either officially or via a plugin until jgit supports signature verification. It seems like having the merge strategy as `fast-forward only` seems to be the only way to prevent gerrit from modifying the commit in any way, thus preserving the gpg signature's validity. As suggested, I'll file a feature request against gerrit requesting for appropriate handling of post submit signatures.