Gerrit support for signed Git commits and tags

[Zoltan]

It would be nice if Gerrit had support for verifying signed Git commits (created with git commit -S) and signed tags (created with git tag -s).

The functionality could be along the lines as done in Gitlab:

https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/

For example, it would be nice if Gerrit could verify and show signed commits in the repo browser GUI, and show/enforce signed commits during change management.

Is this something that has been discussed or considered?

/Zoltan

[Matthias Sohn]

Signing commits was implemented in JGit 5.3.0, verifying signed commits isn't yet implemented

and is needed to support this in Gerrit.

-Matthias 

[Jonathan Nieder]

Zoltan wrote:

It would be nice if Gerrit had support for verifying signed Git commits (created with git commit -S) and signed tags (created with git tag -s).

Thanks for writing. Changing the subject a bit, are you familiar with Gerrit's support for signed push ("git push --signed", https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#receive.enableSignedPush)?

I don't see any feature requests in https://crbug.com/gerrit about signed commit validation. Feel free to add one with more details about your use case.

Thanks,

Jonathan

[Zoltan Kelemen]

Jonathan Nieder wrote:

Thanks for writing. Changing the subject a bit, are you familiar with Gerrit's support for signed push ("git push --signed", https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#receive.enableSignedPush)?

Yes, I checked that feature out, but unfortunately it was not completely what I needed.

 

I don't see any feature requests in https://crbug.com/gerrit about signed commit validation. Feel free to add one with more details about your use case.

I will do that, thanks. (I just wanted to check here first in case this had already been discussed).

/Zoltan