PGP signing commits
Martin Bednar
martin at serafean.cz
Fri Jun 12 13:24:21 BST 2026
Hi,
On Thursday, 11 June 2026 22:34:27 Central European Summer Time Sven Brauch
wrote:
>
> What do you effectively do with these signatures? I.e. what meaningful
> verification can you do assuming a commits is signed, in doubt, by some
> random guy nobody has ever met? At best, you can say "this and this
> contribution are by the same person", but not even the opposite is true
> since people can just say they lost their key.
The Linux kernel uses PGP signing of commits as a failsafe in case
infrastructure gets compromised.
https://www.kernel.org/doc/html/next/process/maintainer-pgp-guide.html
That actually is something signed commits/tags can do. I don't think that
requires every commit to be signed.
Regards,
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 265 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kdevelop-devel/attachments/20260612/814b2ab9/attachment.sig>
More information about the KDevelop-devel
mailing list