PGP signing commits

Martin Bednar martin at serafean.cz
Fri Jun 12 13:24:21 BST 2026


Hi,

On Thursday, 11 June 2026 22:34:27 Central European Summer Time Sven Brauch 
wrote:
> 
> What do you effectively do with these signatures? I.e. what meaningful 
> verification can you do assuming a commits is signed, in doubt, by some 
> random guy nobody has ever met? At best, you can say "this and this 
> contribution are by the same person", but not even the opposite is true 
> since people can just say they lost their key.

The Linux kernel uses PGP signing of commits as a failsafe in case 
infrastructure gets compromised.
https://www.kernel.org/doc/html/next/process/maintainer-pgp-guide.html

That actually is something signed commits/tags can do. I don't think that 
requires every commit to be signed.

Regards,

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdevelop-devel/attachments/20260612/814b2ab9/attachment.sig>


More information about the KDevelop-devel mailing list